Web Security
Security is crucial in backend development to protect user data and preventing attacks.
Core Concepts
Section titled “Core Concepts”Hashing
Section titled “Hashing”Hashing turns data (like a password) into a random string of characters. You cannot turn the hash back into the password.
- Used for: Storing passwords securely.
- Used for: Storing passwords securely.
- Algorithms:
- MD5: Old and broken for security purposes (avoid for passwords).
- SHA (SHA-1 / SHA-2 / SHA-3): A family of hashing algorithms. For security, prefer modern variants like SHA-256/512.
- bcrypt / scrypt / Argon2: Best practice for password hashing (slow by design).
Encryption
Section titled “Encryption”Encryption turns data into code, but you can reverse it if you have the “Key”.
- HTTPS: Encrypts traffic between the browser and server.
- HTTPS: Encrypts traffic between the browser and server.
- TLS/SSL: The protocols behind HTTPS.
- RSA: An asymmetric (public/private key) algorithm historically used in TLS and for signing/encryption (less common for key exchange today).
- Diffie-Hellman: A key-exchange method used to agree on a shared secret over an untrusted network (modern TLS often uses ECDHE, an elliptic-curve variant).
CORS (Cross-Origin Resource Sharing)
Section titled “CORS (Cross-Origin Resource Sharing)”A browser feature that stops a website on domain A (evil.com) from stealing data from domain B (bank.com). You must explicitly allow domains in your backend.
CSP (Content Security Policy)
Section titled “CSP (Content Security Policy)”CSP helps reduce attacks like XSS by telling the browser which sources are allowed to load scripts, styles, images, etc.
Example header:
Content-Security-Policy: default-src 'self'; script-src 'self'
Common Vulnerabilities (OWASP)
Section titled “Common Vulnerabilities (OWASP)”OWASP is an organization that lists the top security risks. Common ones:
- Injection: Sending malicious SQL commands (SQL Injection).
- Broken Authentication: Letting attackers log in as someone else.