Core Code
Core Code Modern Dev Handbook
APPLICATION-SECURITY Contents
Security Foundations for Production Apps
Threat Modeling (Practical, Repeatable) OWASP Top 10 (Operator Lens) Defense in Depth (Layered Controls That Hold) Security Baselines and Checklists (What “Good” Looks Like) Secrets in Apps (Storage, Injection, Rotation) Logging Sensitive Data (Pitfalls and Redaction) Rate Limiting Patterns (Abuse and Resilience) Abuse Prevention (Bots, Fraud, Enumeration) HTTPS & TLS Realities (HSTS, Termination, Cert Ops) Secure Headers Baseline (Production Defaults)
Identity, Authentication, and Sessions
Sessions vs JWT (Production Tradeoffs) JWT Attack Patterns and Validation Pitfalls Password Hashing Ops (bcrypt/argon2 Parameters) OAuth2 Flows in Practice (Auth Code + PKCE) OIDC Internals (Discovery, JWKS, Claims) Token Revocation Strategies (What Actually Works) Refresh Token Abuse and Rotation Defenses API Key Management (Issuance, Rotation, Scoping) mTLS Basics (Service-to-Service Identity) Identity Boundary Design (Trust Zones)
Web Attacks and Practical Defenses
XSS in Production (Exploit Paths and CSP Hardening) CSRF (SameSite Reality vs Token Defenses) SSRF (Cloud Metadata Abuse and Egress Controls) Clickjacking (Frame Controls and UI Redress) SQL Injection (Production Defense Patterns) CORS Misconfigurations (Real-World Impact) CSP Practical Recipes (Deployable Policies) Secure Cookie Patterns (HttpOnly, Secure, SameSite) Request Validation Patterns (What to Validate Where) File Upload Hardening (Content Sniffing, AV, Storage)
Secure Delivery, Hardening, and Incident Response
Secure SDLC (Gates That Don’t Kill Delivery) Dependency Risks (Vulns, Updates, Policies) App Supply Chain (Lockfiles, Pinning, Review) Configuration Hardening (Safe Defaults Checklist) Security Monitoring Signals (Auth, Data, Network) Security Alert Design (Noise, Triage, Escalation) WAF Realities (What It Stops and What It Doesn’t) Credential Leak Runbook (Keys, Tokens, Passwords) Compromised Token Runbook (JWT/OAuth Sessions) Security Incident Response (Contain, Eradicate, Recover)

Threat Modeling (Practical, Repeatable)

Build lightweight threat models you can actually run in production: assets, trust boundaries, abuse cases, and controls mapped to owners, logs, and alerts.
On this page

Goal

Create a repeatable threat modeling loop that produces concrete actions: config changes, logging/alerting, test cases, and runbooks. Keep it small enough to run per feature.

Minimum Data You Need

  • Assets: user identities, sessions/tokens, payment actions, PII fields, admin actions.
  • Entry points: HTTP routes, webhooks, upload endpoints, background jobs.
  • Trust boundaries: browser → edge → app → internal services → data stores.
  • Dependencies: IdP, email/SMS, object storage, third-party APIs.

Production Workflow (30–60 minutes)

  1. Pick a single feature or endpoint group (example: /api/payments/*).
  2. List top 5 abuse cases (auth bypass, replay, enumeration, injection, data exfil).
  3. For each abuse case, define: preconditions, detection, mitigation, runbook owner.
  4. Turn mitigations into checklists (headers, limits, validation, rate limiting, logging).

Abuse Case Template

Abuse case:
- What: (ex) Attacker replays webhook to credit account twice
- Preconditions: webhook endpoint accepts duplicates; no idempotency
- Detection: log event_id + status; alert on duplicates
- Mitigation: idempotency key; store processed event_ids; reject replays
- Runbook: disable webhook, rotate secret, reconcile transactions

Controls Mapping (Operator Lens)

  • Prevent: authZ checks, validation, idempotency, allowlists, mTLS.
  • Detect: structured logs, auth anomalies, spike alerts, WAF signals.
  • Respond: kill switches, token revocation, key rotation, incident steps.

Make It Measurable

  • Log security-relevant fields (request id, user id, auth method, decision, reason).
  • Define 3 alerts: auth failures spike, forbidden spike, sensitive action spike.

Quick Checks

# Identify trust boundaries and exposed surfaces
curl -sS -D - https://app.example.com/healthz -o /dev/null

# Enumerate routes (example pattern; adapt to your router)
grep -R "GET /api" -n ./src | head -50
OWASP Top 10 (Operator Lens) →