Core Code
Core Code Modern Dev Handbook
APPLICATION-SECURITY Contents
Security Foundations for Production Apps
Threat Modeling (Practical, Repeatable) OWASP Top 10 (Operator Lens) Defense in Depth (Layered Controls That Hold) Security Baselines and Checklists (What “Good” Looks Like) Secrets in Apps (Storage, Injection, Rotation) Logging Sensitive Data (Pitfalls and Redaction) Rate Limiting Patterns (Abuse and Resilience) Abuse Prevention (Bots, Fraud, Enumeration) HTTPS & TLS Realities (HSTS, Termination, Cert Ops) Secure Headers Baseline (Production Defaults)
Identity, Authentication, and Sessions
Sessions vs JWT (Production Tradeoffs) JWT Attack Patterns and Validation Pitfalls Password Hashing Ops (bcrypt/argon2 Parameters) OAuth2 Flows in Practice (Auth Code + PKCE) OIDC Internals (Discovery, JWKS, Claims) Token Revocation Strategies (What Actually Works) Refresh Token Abuse and Rotation Defenses API Key Management (Issuance, Rotation, Scoping) mTLS Basics (Service-to-Service Identity) Identity Boundary Design (Trust Zones)
Web Attacks and Practical Defenses
XSS in Production (Exploit Paths and CSP Hardening) CSRF (SameSite Reality vs Token Defenses) SSRF (Cloud Metadata Abuse and Egress Controls) Clickjacking (Frame Controls and UI Redress) SQL Injection (Production Defense Patterns) CORS Misconfigurations (Real-World Impact) CSP Practical Recipes (Deployable Policies) Secure Cookie Patterns (HttpOnly, Secure, SameSite) Request Validation Patterns (What to Validate Where) File Upload Hardening (Content Sniffing, AV, Storage)
Secure Delivery, Hardening, and Incident Response
Secure SDLC (Gates That Don’t Kill Delivery) Dependency Risks (Vulns, Updates, Policies) App Supply Chain (Lockfiles, Pinning, Review) Configuration Hardening (Safe Defaults Checklist) Security Monitoring Signals (Auth, Data, Network) Security Alert Design (Noise, Triage, Escalation) WAF Realities (What It Stops and What It Doesn’t) Credential Leak Runbook (Keys, Tokens, Passwords) Compromised Token Runbook (JWT/OAuth Sessions) Security Incident Response (Contain, Eradicate, Recover)

Security Baselines and Checklists (What “Good” Looks Like)

Define a production security baseline: configs, headers, secrets handling, logging, dependency policy, and a release gate checklist.
On this page

Why Baselines

Most incidents come from drift and inconsistent defaults. A baseline makes secure behavior the default and regressions visible.

Baseline Areas

  • Transport: TLS only, HSTS, correct proxy headers.
  • Browser surface: security headers + CSP where applicable.
  • Auth: MFA for admins, secure cookies, session expiry, brute-force controls.
  • Secrets: no secrets in repo, rotation procedure, environment injection rules.
  • Logging: structured logs, no secrets/PII leakage, retention policy.
  • Dependencies: patch cadence, lockfiles, vulnerability scanning gate.

Release Gate Checklist (Minimal)

Release gate:
- Headers smoke test passes
- CORS policy test passes
- AuthZ regression tests pass
- Dependency scan: no critical/high allowed (policy-based)
- Secret scan: no new secrets committed
- Admin endpoints require MFA (where applicable)

Drift Detection

  • Snapshot critical configs (reverse proxy, app env, IdP settings) and review diffs.
  • Run header and TLS checks as cron + CI.

Example: Header Baseline Smoke Test

curl -sS -D - https://app.example.com/ -o /dev/null | egrep -i 
"strict-transport-security|content-security-policy|x-frame-options|x-content-type-options|referrer-policy"

Example: TLS Sanity Check

# Requires openssl
echo | openssl s_client -connect app.example.com:443 -servername app.example.com 2>/dev/null 
| openssl x509 -noout -dates -issuer -subject
Secrets in Apps (Storage, Injection, Rotation) →