Web security foundations — JWT · OAuth · OWASP

Most of OWASP Top 10 is handled by popular frameworks by default, but boundary and trust decisions still fall on the developer. A handful of concrete patterns shrink the attack surface a lot.

Who it's for

• Developers without a clear sense of "how far is enough" on security
• Teams that adopted JWT · OAuth but are nervous about mistakes
• Anyone wanting to set CORS, headers, and rate limits properly

What you can do afterwards

• Design JWT rotation · refresh tokens · blacklist
• Handle OAuth state · PKCE · CSRF
• Validate input with zod + length caps
• Apply Redis-based rate limiting (sliding window)
• Configure security headers · CSP · CORS
• Harden anonymous forms with honey-pot · IP hashing
• Verify email with OTP — generation, verification, resend throttling

Flow

[1] Threat model ──▶ [2] JWT ──▶ [3] OAuth ──▶ [4] Input validation
                                                      │
                                                      ▼
                   [7] OTP ◀── [6] Form hardening ◀── [5] Rate + CSP

Steps 1–3 deal with who is coming in (auth), 4–5 with how requests are throttled, and 6–7 with the special cases of anonymity and verification.

Steps

1. Threat model · OWASP at a glance — Top 10 · real incident distribution
2. JWT · refresh · rotation — HS256 vs RS256 · expiry · blacklist
3. OAuth + state · PKCE — Kakao · Naver · CSRF
4. Input validation + length caps — zod · Valibot · payload flood defence
5. Rate limit + CORS + security headers — Redis sliding window · CSP · sameSite
6. Anonymous form hardening — honey-pot · IP hash · status flow
7. Email verification and OTP — SMTP · app password · OTP generation/verification · rate limiting

Prerequisites — complete either backend-with-spring or nextjs-fullstack.