Start a project

Security

Security

Security is the practice of finding the way into your product before someone else does, then closing it for good. Most breaches are not exotic. They are a forgotten admin route, a session cookie that travels where it should not, a form that trusts its input, or a query stitched together from user text. The job is to think like the person trying to get in: map every door, test every one, and assume the worst case for each. Good security is layered, so one missed check does not become a headline, and it is verifiable, so you can prove the hole is gone. The writing here covers the holes we have found in real audits, why the usual review passes miss them, and the concrete defenses, parameterized queries, signed tokens, rate limits, generic errors, that shut them.

23 pieces

All of the Journal

A weathered padlock locked onto a door against soft warm bokeh light

Lock Out Credential Stuffers With Progressive Rate Limiting

Per-IP and per-email sliding windows plus escalating lockouts that stop credential stuffing without punishing real users.

June 8, 20268 min read

Close-up of a metal door knob and keyhole on a weathered wooden door

Prevent User Enumeration in Your Login and Reset Flows

Identical messages, constant-time responses, and honeypots that stop attackers from harvesting valid accounts one request at a time.

June 6, 20268 min read

Laptop showing a code editor on a warm wooden desk beside a mug and notebook

Stop Leaking Your Admin Login URL in Redirects and Errors

Why redirecting unauthenticated admin traffic to your login page hands attackers the map, and how to return a clean 404 instead.

May 3, 20268 min read

Moody monochrome macro of a small pile of metal keys on a dark surface

Issue JWTs Attackers Cannot Forge or Replay

Lock the algorithm to HS256, verify issuer and audience, and cap expiry so a leaked token dies before it does damage.

May 1, 20267 min read

Laptop showing a code editor on a warm wooden desk with an orange mug in soft light

Build CSRF Protection That Survives OAuth Callbacks

HMAC-signed CSRF tokens plus the SameSite settings that block forged requests without breaking your Slack or Stripe login.

March 26, 20267 min read

A hand holding a brass padlock against a soft dark warm background

Kill SQL Injection With Parameterized Queries and Allowlists

Why prepared statements alone are not enough, and how table allowlists plus column regex give you layered protection.

March 21, 20268 min read

Silver keys hanging in a keyhole against a warm wall

Hash Passwords With Scrypt and Timing-Safe Comparison

The memory-hard scrypt setup and constant-time comparison that keep a stolen user database from becoming an overnight breach.

February 13, 20267 min read

Macro of a dark circuit board with copper and blue tones

The Security Headers Every Next.js App Should Ship

From CSP and HSTS to killing the X-Powered-By tell, the exact header set that hardens a production Next.js deploy in one config file.

February 8, 20267 min read

Syntax-highlighted source code displayed on a black screen with shallow depth of field

Verify Payment Webhooks Before They Move Money

Signature checks, amount matching, and idempotency guards that stop forged Paystack and Stripe events from charging users twice.

January 3, 20267 min read

Macro close-up of a printed circuit board with chips

Rotate Production Secrets Without Taking the App Down

A dual-key rollover keyed on kid lets you swap JWT, CSRF, and webhook secrets while every active session keeps working.

January 1, 20268 min read

Brass padlock securing a rusted chain against a stone wall with green foliage behind

Accept File Uploads Without Opening a Remote Code Hole

A profile-picture field is a door to your filesystem. Validate magic bytes, re-encode, store outside the web root, and rename every file.

November 26, 20257 min read

A rusted metal chain ending in a padlock against a soft warm out-of-focus background

Pin Third-Party Scripts With Subresource Integrity

The Polyfill.io attack hit 380,000 sites because nobody pinned the script. SRI plus CSP makes that class of supply-chain breach a non-event.

November 21, 20257 min read

Silver padlock securing a blue metal door

Scope API Tokens So a Leak Cannot Touch Everything

A token will leak. Scope it by resource and action, one per consumer, rotate and revoke, so a leak costs a shrug not your business.

October 16, 20257 min read

Row of locked black secure server racks receding with shallow depth of field

Build Audit Logs That Actually Help After a Breach

Record every privileged action, make logs append-only and tamper-evident, forward them off-host, and keep them queryable when minutes matter.

October 11, 20257 min read

Wall of locked safe-deposit boxes with keys

Mask PII in Public API Responses by Default

The API response is the exposure surface, not the rendered page. Mask email, phone, and references at serialization; gate full data to admins.

September 5, 20257 min read

Macro of a combination padlock's numbered dials on blue metal

What Skipping Security Early Really Costs a Startup

Deferring security does not save the cost, it multiplies it and moves the bill to a breach. The basics built in are the cheapest insurance.

September 3, 20257 min read

Dark macro close-up of a circuit board with chips and traces

Lock Down CORS Before It Hands Over Your Session Tokens

The wildcard and reflected-origin mistakes that let any site read your authenticated API, and the strict allow-list that closes them.

July 29, 20257 min read

A real metal padlock in sharp focus against a soft blue and warm bokeh background

Stop Brute Force and POST Floods With Nginx Rate Limit Zones

Layer connection limits and POST burst zones at the edge so abusive traffic dies in nginx before it ever touches your app.

July 24, 20258 min read

A brass padlock securing a rusted metal chain

Why One Leaked Secret Should Never Compromise the Rest

Split JWT, CSRF, and cron secrets per concern, load every one from env, and throw on missing so one leak stays contained.

June 13, 20257 min read

A real brass padlock on a chain against a teal-green post

What A Small Team Needs Before Its First Security Incident

The minimum response plan, roles, logging, and tested backups that turn a breach from an existential event into a contained Tuesday.

March 31, 20257 min read

Aged iron padlock locked on a weathered rust-red wooden door

Why OAuth Login Breaks With SameSite Strict, and the Fix

SameSite Strict silently signs users out mid-OAuth; the Lax plus CSRF-token combo keeps logins working and safe.

February 23, 20257 min read

Elegant silver skeleton key on a ring casting a soft shadow against a muted teal and cream wall

Lock Down Service Traffic With Self-Rotating mTLS

Give every internal call a verifiable identity with mTLS and self-rotating short-lived certs, so a leaked credential expires before it can be used.

December 27, 20247 min read

Weathered metal padlock securing a door against a moody blue background

Stop Shipping API Keys in Your Frontend Bundle

How secrets sneak into client JavaScript through public env prefixes, and the build-gate audit that catches them before deploy.

November 14, 20248 min read

Where to next

All of the JournalEvery piece

What we doThe nine services

Start a projectDesign it live