Core Code
Core Code Modern Dev Handbook
APPLICATION-SECURITY Contents
Security Foundations for Production Apps
Threat Modeling (Practical, Repeatable) OWASP Top 10 (Operator Lens) Defense in Depth (Layered Controls That Hold) Security Baselines and Checklists (What “Good” Looks Like) Secrets in Apps (Storage, Injection, Rotation) Logging Sensitive Data (Pitfalls and Redaction) Rate Limiting Patterns (Abuse and Resilience) Abuse Prevention (Bots, Fraud, Enumeration) HTTPS & TLS Realities (HSTS, Termination, Cert Ops) Secure Headers Baseline (Production Defaults)
Identity, Authentication, and Sessions
Sessions vs JWT (Production Tradeoffs) JWT Attack Patterns and Validation Pitfalls Password Hashing Ops (bcrypt/argon2 Parameters) OAuth2 Flows in Practice (Auth Code + PKCE) OIDC Internals (Discovery, JWKS, Claims) Token Revocation Strategies (What Actually Works) Refresh Token Abuse and Rotation Defenses API Key Management (Issuance, Rotation, Scoping) mTLS Basics (Service-to-Service Identity) Identity Boundary Design (Trust Zones)
Web Attacks and Practical Defenses
XSS in Production (Exploit Paths and CSP Hardening) CSRF (SameSite Reality vs Token Defenses) SSRF (Cloud Metadata Abuse and Egress Controls) Clickjacking (Frame Controls and UI Redress) SQL Injection (Production Defense Patterns) CORS Misconfigurations (Real-World Impact) CSP Practical Recipes (Deployable Policies) Secure Cookie Patterns (HttpOnly, Secure, SameSite) Request Validation Patterns (What to Validate Where) File Upload Hardening (Content Sniffing, AV, Storage)
Secure Delivery, Hardening, and Incident Response
Secure SDLC (Gates That Don’t Kill Delivery) Dependency Risks (Vulns, Updates, Policies) App Supply Chain (Lockfiles, Pinning, Review) Configuration Hardening (Safe Defaults Checklist) Security Monitoring Signals (Auth, Data, Network) Security Alert Design (Noise, Triage, Escalation) WAF Realities (What It Stops and What It Doesn’t) Credential Leak Runbook (Keys, Tokens, Passwords) Compromised Token Runbook (JWT/OAuth Sessions) Security Incident Response (Contain, Eradicate, Recover)

Logging Sensitive Data (Pitfalls and Redaction)

Prevent data leaks through logs: what to exclude, how to redact, and how to validate with automated checks and incident queries.
On this page

What Must Never Appear in Logs

  • Passwords, access tokens, refresh tokens, API keys
  • Authorization headers, session cookies
  • Full payment details, full ID numbers
  • Private keys, signing material

Safe Logging Strategy

  • Log identifiers (request_id, user_id, session_id hash) not secrets.
  • Use allowlist logging: explicitly pick fields to log.
  • Redact at a single choke point (logger middleware), not ad-hoc.

Redaction Pattern

# Replace sensitive keys anywhere in structured payloads
REDACT_KEYS = ["authorization", "cookie", "password", "token", "secret", "api_key"]
# If key matches: value = "[REDACTED]"

Production Validation

# Search for likely secret patterns (examples; adapt)
# Do this in a secure environment with access controls
egrep -R "Bearer " /var/log/app/ 2>/dev/null | head -20
egrep -R "api_key|refresh_token|password=" /var/log/app/ 2>/dev/null | head -20

Failure Modes

  • Debug logging in prod: leaks request bodies. Enforce config guardrails.
  • Exception dumps: frameworks log headers by default. Override defaults.
  • Third-party SDKs: may log request payloads. Pin versions, review settings.

Incident Query Playbook

If leak suspected:
1) Identify time window and deployments
2) Search logs for token prefixes, auth headers, cookie names
3) Rotate affected secrets/tokens
4) Add regression test: redaction unit test + integration log scan
Rate Limiting Patterns (Abuse and Resilience) →