Web Security

This content is for Backend. Switch to the latest version for up-to-date documentation.

Security is crucial in backend development to protect user data and preventing attacks.

Core Concepts

Hashing

Hashing turns data (like a password) into a random string of characters. You cannot turn the hash back into the password.

Used for: Storing passwords securely.
Used for: Storing passwords securely.
Algorithms:
- MD5: Old and broken for security purposes (avoid for passwords).
- SHA (SHA-1 / SHA-2 / SHA-3): A family of hashing algorithms. For security, prefer modern variants like SHA-256/512.
- bcrypt / scrypt / Argon2: Best practice for password hashing (slow by design).

Encryption

Encryption turns data into code, but you can reverse it if you have the “Key”.

HTTPS: Encrypts traffic between the browser and server.
HTTPS: Encrypts traffic between the browser and server.
TLS/SSL: The protocols behind HTTPS.
RSA: An asymmetric (public/private key) algorithm historically used in TLS and for signing/encryption (less common for key exchange today).
Diffie-Hellman: A key-exchange method used to agree on a shared secret over an untrusted network (modern TLS often uses ECDHE, an elliptic-curve variant).

A browser feature that stops a website on domain A (evil.com) from stealing data from domain B (bank.com). You must explicitly allow domains in your backend.

CSP (Content Security Policy)

CSP helps reduce attacks like XSS by telling the browser which sources are allowed to load scripts, styles, images, etc.

Example header:

Content-Security-Policy: default-src 'self'; script-src 'self'

Common Vulnerabilities (OWASP)

OWASP is an organization that lists the top security risks. Common ones:

Injection: Sending malicious SQL commands (SQL Injection).
Broken Authentication: Letting attackers log in as someone else.

References

Built with passion by Ngineer Lab