Security Guide for Developers
A practical security guide for web developers (Work in progress)
The intended audience
Security issues happen for two reasons -
- Developers who have just started and cannot really tell a difference between using MD5 or bcrypt.
- Developers who know stuff but forget/ignore them.
Contents
- The Security Checklist
- What can go wrong?
- Securely transporting stuff: HTTPS explained
- Authentication: I am who I say I am
- Authorization: What am I allowed to do?
- Data Validation and Sanitation: Never trust user input
- Plaintext != Encoding != Encryption != Hashing
- Passwords: dadada, 123456 and cute@123
- Public Key Cryptography
- Sessions: Remember me, please
- Fixing security, one header at a time
- Configuration mistakes
- Attacks: When the bad guys arrive
- Stats about vulnerabilities discovered in Internet Companies
- On reinventing the wheel, and making it square
- Maintaining a good security hygiene
- Security Vs Usability
- Back to Square 1: The Security Checklist explained
Who are we?
We are full stack developers who just grew tired of watching how developers were lowering the barrier to call something a hack by writing unsecure code. In the past six months, we have prevented leaks of more than 15 million credit card details, personal details of over 45 million users and potentially saved companies from shutting down. Recently, we discovered an issue that could result in system takeover and data leak in a bitcoin institution. We have helped several startups secure their systems, most of them for free, sometimes without even getting a thank you in response :)
If you disagree with something or find a bug please open an issue or file a PR. Alternatively, you can talk to us on hello@fallible.co