Threat model · OWASP at a glance

There is no "from where to where is security enough", but knowing the actual distribution of attacks sets priority.

1. OWASP Top 10 (2021)

Broken Access Control
Cryptographic Failures
Injection (SQL · NoSQL · command)
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery

2. Most incidents fall in the Top 3

Access control mistakes — "change the URL, see someone else's data"
Auth failures — weak passwords, session hijack, no MFA
Injection — WHERE id = ${id} string interpolation

The other seven are less frequent or handled by frameworks.

3. STRIDE

Six categories — Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. Walk through each page/API against STRIDE to find gaps.

4. "Never trust the client"

Always re-check permissions after auth, per user.

// ❌
const userId = req.body.userId;
await db.query("DELETE FROM posts WHERE user_id = $1", [userId]);
// ✅
const sessionUser = await verifySession(req);
await db.query("DELETE FROM posts WHERE user_id = $1", [sessionUser.id]);

5. Least privilege

App DB user has only needed tables
Cron scripts have their own DB user
Minimise prod IAM

Uncomfortable for developers, huge reduction in blast radius.

6. Defense in depth

One layer fails, the next catches.

[Caddy / CDN] → [rate limit] → [WAF] → [auth] → [authorization] → [input validation]
                                                                         ↓
                                                                   [DB constraints]

SQL injection defended three times (parameterization + input validation + DB constraints).

7. Security ≠ obscurity

Security through obscurity doesn't last. Design so that public knowledge of the API is safe.

8. Week-one checklist

Session checks on every mutation
100% parameterized SQL
bcrypt/argon2 only (never plaintext/MD5/SHA1)
HTTPS enforced
Monthly pnpm audit / npm audit

Cuts 90% of the attack surface.

Closing

Security isn't a one-off project. Keep Top 10, common patterns, and defense-in-depth in mind and the instinct grows.

02-jwt-refresh

1. OWASP Top 10 (2021)

Broken Access Control

Cryptographic Failures

Injection (SQL · NoSQL · command)

Insecure Design

Security Misconfiguration

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server-Side Request Forgery

// ❌ const userId = req.body.userId; await db.query("DELETE FROM posts WHERE user_id = $1", [userId]); // ✅ const sessionUser = await verifySession(req); await db.query("DELETE FROM posts WHERE user_id = $1", [sessionUser.id]);

6. Defense in depth

One layer fails, the next catches.

[Caddy / CDN] → [rate limit] → [WAF] → [auth] → [authorization] → [input validation] ↓ [DB constraints]

SQL injection defended three times (parameterization + input validation + DB constraints).

Threat model · OWASP at a glance

Threat model · OWASP at a glance

1. OWASP Top 10 (2021)

2. Most incidents fall in the Top 3

3. STRIDE

4. "Never trust the client"

5. Least privilege

6. Defense in depth

7. Security ≠ obscurity

8. Week-one checklist

Closing

Next

Threat model · OWASP at a glance

Threat model · OWASP at a glance

1. OWASP Top 10 (2021)

2. Most incidents fall in the Top 3

3. STRIDE

4. "Never trust the client"

5. Least privilege

6. Defense in depth

7. Security ≠ obscurity

8. Week-one checklist

Closing

Next