DEV Community: Kagin Schulte The latest articles on DEV Community by Kagin Schulte (@kagin_schulte_1032dccabe4). https://dev.to/kagin_schulte_1032dccabe4 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3596278%2Fc11100ee-f4af-4d36-836a-750fe468448b.png DEV Community: Kagin Schulte https://dev.to/kagin_schulte_1032dccabe4 en From Vulnerable to Production-Ready: A Real-World Security Hardening Journey Kagin Schulte Tue, 04 Nov 2025 17:43:18 +0000 https://dev.to/kagin_schulte_1032dccabe4/from-vulnerable-to-production-ready-a-real-world-security-hardening-journey-59ap https://dev.to/kagin_schulte_1032dccabe4/from-vulnerable-to-production-ready-a-real-world-security-hardening-journey-59ap <h2> How I Transformed My MTG Deck Builder's Security from "Oops" to "Fort Knox" </h2> <p><em>A practical guide to securing a full-stack web application, complete with code examples and lessons learned</em></p> <h2> The Wake-Up Call </h2> <p>Picture this: You've just launched your passion projectβ€”a Magic: The Gathering deck builder with AI-powered recommendations. Users are starting to trickle in. Everything seems great... until you ask yourself one simple question:</p> <p><strong>"Is my app actually secure?"</strong></p> <p>That question led me down a rabbit hole that transformed my application from a security disaster waiting to happen into a production-ready, hardened system. Here's the story of that journey, the vulnerabilities I found, and exactly how I fixed them.</p> <h2> 🎯 Starting Point: The Security Audit </h2> <p>I started with a simple threat model: <em>What could an attacker do to my app?</em></p> <p>The results were... humbling.</p> <h3> The Vulnerability Scorecard </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>πŸ”΄ CRITICAL: XSS Vulnerability [UNFIXED] πŸ”΄ HIGH: No Rate Limiting [UNFIXED] 🟑 MEDIUM: Insufficient Input Validation [UNFIXED] 🟑 MEDIUM: Username/Email Enumeration [UNFIXED] 🟑 MEDIUM: Sessions Never Invalidate [UNFIXED] 🟑 MEDIUM: No Security Headers [UNFIXED] 🟒 LOW: Missing CSRF Protection [UNFIXED] </code></pre> </div> <p>Let's break down each vulnerability, why it matters, and how I fixed it.</p> <h2> 🚨 Critical: XSS (Cross-Site Scripting) </h2> <h3> The Problem </h3> <p>My AI assistant generates card recommendations with detailed explanations. These get rendered with <code>v-html</code> in Vue componentsβ€”<strong>without any sanitization</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="c">&lt;!-- πŸ’€ VULNERABLE CODE --&gt;</span> <span class="nt">&lt;</span><span class="k">template</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">v-html=</span><span class="s">"aiGeneratedContent"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;/</span><span class="k">template</span><span class="nt">&gt;</span> </code></pre> </div> <p><strong>What could go wrong?</strong></p> <p>An attacker could craft a malicious query that tricks the AI into including JavaScript:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Attacker's query: "Recommend cards like &lt;script&gt;steal_tokens()&lt;/script&gt;"</span> <span class="c1">// AI response includes: "&lt;script&gt;steal_tokens()&lt;/script&gt;"</span> <span class="c1">// Browser executes the script!</span> </code></pre> </div> <h3> The Solution: DOMPurify </h3> <p>I implemented a three-layer sanitization strategy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// frontend/src/composables/useSanitize.ts</span> <span class="k">import</span> <span class="nx">DOMPurify</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">dompurify</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">useSanitize</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sanitizeHtml</span> <span class="o">=</span> <span class="p">(</span><span class="nx">html</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">options</span><span class="p">?:</span> <span class="nx">DOMPurify</span><span class="p">.</span><span class="nx">Config</span><span class="p">):</span> <span class="kr">string</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="na">defaultConfig</span><span class="p">:</span> <span class="nx">DOMPurify</span><span class="p">.</span><span class="nx">Config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">ALLOWED_TAGS</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">br</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">strong</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">em</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ul</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ol</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">li</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">code</span><span class="dl">'</span><span class="p">],</span> <span class="na">ALLOWED_ATTR</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">href</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">title</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">class</span><span class="dl">'</span><span class="p">],</span> <span class="na">FORBID_TAGS</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">script</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">style</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">iframe</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">embed</span><span class="dl">'</span><span class="p">],</span> <span class="na">FORBID_ATTR</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">onerror</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">onload</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">onclick</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">onmouseover</span><span class="dl">'</span><span class="p">]</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">DOMPurify</span><span class="p">.</span><span class="nf">sanitize</span><span class="p">(</span><span class="nx">html</span><span class="p">,</span> <span class="p">{</span> <span class="p">...</span><span class="nx">defaultConfig</span><span class="p">,</span> <span class="p">...</span><span class="nx">options</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">sanitizeHtml</span><span class="p">,</span> <span class="nx">sanitizeMarkdown</span><span class="p">,</span> <span class="nx">stripHtml</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now every AI response gets sanitized before rendering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight vue"><code><span class="c">&lt;!-- βœ… SAFE CODE --&gt;</span> <span class="nt">&lt;</span><span class="k">template</span><span class="nt">&gt;</span> <span class="nt">&lt;div</span> <span class="na">v-html=</span><span class="s">"enhancedContent"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;/</span><span class="k">template</span><span class="nt">&gt;</span> <span class="nt">&lt;</span><span class="k">script</span> <span class="na">setup</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useSanitize</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@/composables/useSanitize</span><span class="dl">'</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">sanitizeHtml</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useSanitize</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">enhancedContent</span> <span class="o">=</span> <span class="nf">computed</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">sanitizeHtml</span><span class="p">(</span><span class="nx">props</span><span class="p">.</span><span class="nx">content</span><span class="p">,</span> <span class="p">{</span> <span class="na">ALLOWED_TAGS</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">br</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">strong</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">em</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">span</span><span class="dl">'</span><span class="p">],</span> <span class="na">ALLOWED_ATTR</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">class</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">data-card-name</span><span class="dl">'</span><span class="p">]</span> <span class="p">})</span> <span class="p">})</span> <span class="nt">&lt;/</span><span class="k">script</span><span class="nt">&gt;</span> </code></pre> </div> <p><strong>Backend validation too:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/api/community.py </span><span class="nd">@validator</span><span class="p">(</span><span class="sh">'</span><span class="s">description</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">validate_description</span><span class="p">(</span><span class="n">cls</span><span class="p">,</span> <span class="n">v</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Sanitize description to prevent XSS.</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">re</span> <span class="c1"># Remove script tags and event handlers </span> <span class="n">v</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">&lt;script[^&gt;]*&gt;.*?&lt;/script&gt;</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">,</span> <span class="n">v</span><span class="p">,</span> <span class="n">flags</span><span class="o">=</span><span class="n">re</span><span class="p">.</span><span class="n">IGNORECASE</span> <span class="o">|</span> <span class="n">re</span><span class="p">.</span><span class="n">DOTALL</span><span class="p">)</span> <span class="n">v</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">on\w+\s*=</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">,</span> <span class="n">v</span><span class="p">,</span> <span class="n">flags</span><span class="o">=</span><span class="n">re</span><span class="p">.</span><span class="n">IGNORECASE</span><span class="p">)</span> <span class="k">return</span> <span class="n">v</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> </code></pre> </div> <h3> Test Results </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>βœ… Script tags removed from all content βœ… Event handlers (onclick, etc.) stripped βœ… 37/37 sanitization tests passing </code></pre> </div> <h2> 🚧 High Priority: Rate Limiting </h2> <h3> The Problem </h3> <p>No rate limiting = Open invitation for abuse:</p> <ul> <li>πŸ’Έ Someone could spam my AI endpoint and rack up API costs</li> <li>πŸ€– Bots could scrape all community decks</li> <li>πŸ’¬ Trolls could flood comments and ratings</li> <li>πŸ” Brute force attacks on login</li> </ul> <h3> The Solution: Strategic Rate Limits </h3> <p>Different endpoints need different limits based on their purpose:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/api/main.py </span><span class="kn">from</span> <span class="n">slowapi</span> <span class="kn">import</span> <span class="n">Limiter</span> <span class="kn">from</span> <span class="n">slowapi.util</span> <span class="kn">import</span> <span class="n">get_remote_address</span> <span class="n">limiter</span> <span class="o">=</span> <span class="nc">Limiter</span><span class="p">(</span><span class="n">key_func</span><span class="o">=</span><span class="n">get_remote_address</span><span class="p">)</span> </code></pre> </div> <p><strong>My Rate Limiting Strategy:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Endpoint Type</th> <th>Limit</th> <th>Reasoning</th> </tr> </thead> <tbody> <tr> <td>πŸ“– <strong>Read Operations</strong> </td> <td>100-200/min</td> <td>Users browse frequently</td> </tr> <tr> <td>✍️ <strong>Write Operations</strong> </td> <td>10-30/hour</td> <td>Prevent spam</td> </tr> <tr> <td>πŸ” <strong>Auth Changes</strong> </td> <td>5/15min</td> <td>Brute force protection</td> </tr> <tr> <td>πŸ’¬ <strong>Comments/Ratings</strong> </td> <td>20-30/hour</td> <td>Quality over quantity</td> </tr> </tbody> </table></div> <p><strong>Implementation:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Feedback endpoint - prevent spam </span><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/feedback/message</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">20/hour</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">submit_message_feedback</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">feedback</span><span class="p">:</span> <span class="n">FeedbackRequest</span><span class="p">):</span> <span class="k">pass</span> <span class="c1"># Browse decks - allow generous reading </span><span class="nd">@router.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/community/decks</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">100/minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">browse_published_decks</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="k">pass</span> <span class="c1"># Add comment - prevent spam </span><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/community/decks/{deck_id}/comments</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">20/hour</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_deck_comment</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="k">pass</span> <span class="c1"># Password changes - serious protection </span><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/auth/change-password</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5/15minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">change_password</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">):</span> <span class="k">pass</span> </code></pre> </div> <h3> Test Results </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>βœ… 12 endpoints now protected βœ… Returns 429 (Too Many Requests) when exceeded βœ… Legitimate users unaffected </code></pre> </div> <h2> πŸ” Medium Priority: Input Validation </h2> <h3> The Problem </h3> <p>Weak password validation accepted gems like:</p> <ul> <li> <code>aaaaaaaa</code> βœ… Accepted!</li> <li> <code>12345678</code> βœ… Accepted!</li> <li> <code>password</code> βœ… Accepted!</li> </ul> <p>Usernames could contain special characters that break things:</p> <ul> <li> <code>user@test</code> βœ… Accepted!</li> <li> <code>&lt;script&gt;alert('xss')&lt;/script&gt;</code> βœ… Accepted!</li> </ul> <h3> The Solution: Pydantic Validators </h3> <p>I implemented comprehensive validation using Pydantic's validator decorators:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/api/auth.py </span><span class="kn">from</span> <span class="n">pydantic</span> <span class="kn">import</span> <span class="n">BaseModel</span><span class="p">,</span> <span class="n">Field</span><span class="p">,</span> <span class="n">validator</span> <span class="k">class</span> <span class="nc">RegisterRequest</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">username</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Field</span><span class="p">(</span><span class="n">min_length</span><span class="o">=</span><span class="mi">3</span><span class="p">,</span> <span class="n">max_length</span><span class="o">=</span><span class="mi">50</span><span class="p">)</span> <span class="n">password</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Field</span><span class="p">(</span><span class="n">min_length</span><span class="o">=</span><span class="mi">8</span><span class="p">,</span> <span class="n">max_length</span><span class="o">=</span><span class="mi">128</span><span class="p">)</span> <span class="n">email</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Field</span><span class="p">(</span><span class="n">min_length</span><span class="o">=</span><span class="mi">3</span><span class="p">,</span> <span class="n">max_length</span><span class="o">=</span><span class="mi">255</span><span class="p">)</span> <span class="nd">@validator</span><span class="p">(</span><span class="sh">'</span><span class="s">username</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">validate_username</span><span class="p">(</span><span class="n">cls</span><span class="p">,</span> <span class="n">v</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Validate username format.</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">re</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">re</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">^[a-zA-Z0-9_-]+$</span><span class="sh">'</span><span class="p">,</span> <span class="n">v</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">'</span><span class="s">Username can only contain letters, numbers, underscores, and hyphens</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">v</span><span class="p">.</span><span class="nf">lower</span><span class="p">().</span><span class="nf">strip</span><span class="p">()</span> <span class="nd">@validator</span><span class="p">(</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">validate_email</span><span class="p">(</span><span class="n">cls</span><span class="p">,</span> <span class="n">v</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Validate email format.</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">re</span> <span class="n">email_pattern</span> <span class="o">=</span> <span class="sa">r</span><span class="sh">'</span><span class="s">^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$</span><span class="sh">'</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">re</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="n">email_pattern</span><span class="p">,</span> <span class="n">v</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">'</span><span class="s">Invalid email format</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">v</span><span class="p">.</span><span class="nf">lower</span><span class="p">().</span><span class="nf">strip</span><span class="p">()</span> <span class="nd">@validator</span><span class="p">(</span><span class="sh">'</span><span class="s">password</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">validate_password</span><span class="p">(</span><span class="n">cls</span><span class="p">,</span> <span class="n">v</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Validate password strength.</span><span class="sh">"""</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">v</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">8</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">'</span><span class="s">Password must be at least 8 characters long</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="nf">any</span><span class="p">(</span><span class="n">c</span><span class="p">.</span><span class="nf">isalpha</span><span class="p">()</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">v</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">'</span><span class="s">Password must contain at least one letter</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="n">v</span> <span class="nd">@validator</span><span class="p">(</span><span class="sh">'</span><span class="s">display_name</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">validate_display_name</span><span class="p">(</span><span class="n">cls</span><span class="p">,</span> <span class="n">v</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Sanitize display name.</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">v</span><span class="p">:</span> <span class="n">v</span> <span class="o">=</span> <span class="n">v</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="c1"># Remove any HTML/script tags </span> <span class="kn">import</span> <span class="n">re</span> <span class="n">v</span> <span class="o">=</span> <span class="n">re</span><span class="p">.</span><span class="nf">sub</span><span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">&lt;[^&gt;]+&gt;</span><span class="sh">'</span><span class="p">,</span> <span class="sh">''</span><span class="p">,</span> <span class="n">v</span><span class="p">)</span> <span class="k">return</span> <span class="n">v</span> </code></pre> </div> <p><strong>For community features:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/api/community.py </span><span class="k">class</span> <span class="nc">PublishDeckRequest</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="n">deck_id</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Field</span><span class="p">(</span><span class="n">min_length</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">max_length</span><span class="o">=</span><span class="mi">100</span><span class="p">)</span> <span class="n">description</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="nc">Field</span><span class="p">(</span><span class="n">min_length</span><span class="o">=</span><span class="mi">10</span><span class="p">,</span> <span class="n">max_length</span><span class="o">=</span><span class="mi">5000</span><span class="p">)</span> <span class="n">tags</span><span class="p">:</span> <span class="n">List</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Field</span><span class="p">(</span><span class="n">default</span><span class="o">=</span><span class="p">[],</span> <span class="n">max_length</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="nd">@validator</span><span class="p">(</span><span class="sh">'</span><span class="s">tags</span><span class="sh">'</span><span class="p">)</span> <span class="k">def</span> <span class="nf">validate_tags</span><span class="p">(</span><span class="n">cls</span><span class="p">,</span> <span class="n">v</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Validate tags list.</span><span class="sh">"""</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">v</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">'</span><span class="s">Maximum 10 tags allowed</span><span class="sh">'</span><span class="p">)</span> <span class="k">for</span> <span class="n">tag</span> <span class="ow">in</span> <span class="n">v</span><span class="p">:</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">tag</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">50</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">'</span><span class="s">Tag length cannot exceed 50 characters</span><span class="sh">'</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span><span class="n">tag</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">for</span> <span class="n">tag</span> <span class="ow">in</span> <span class="n">v</span><span class="p">]</span> </code></pre> </div> <h3> Test Results </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>βœ… Username validation: 9/9 tests passing βœ… Email validation: 7/7 tests passing βœ… Password validation: 5/5 tests passing βœ… Tag validation: 4/4 tests passing βœ… Total: 37/37 validation tests passing </code></pre> </div> <h2> πŸ•΅οΈ Medium Priority: Enumeration Prevention </h2> <h3> The Problem </h3> <p>My registration endpoint was too helpful:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># πŸ’€ VULNERABLE CODE </span><span class="k">if</span> <span class="n">existing_user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">Username </span><span class="sh">'</span><span class="si">{</span><span class="n">username</span><span class="si">}</span><span class="sh">'</span><span class="s"> already exists</span><span class="sh">"</span> <span class="p">)</span> <span class="k">if</span> <span class="n">existing_email</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">An account with this email address already exists</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p><strong>What's wrong?</strong> An attacker can discover which usernames and emails are registered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Attacker's script</span> <span class="k">for </span>username <span class="k">in</span> <span class="o">[</span><span class="s1">'admin'</span>, <span class="s1">'john'</span>, <span class="s1">'jane'</span>, ...]: response <span class="o">=</span> requests.post<span class="o">(</span><span class="s1">'/register'</span>, <span class="nv">json</span><span class="o">={</span><span class="s1">'username'</span>: username, ...<span class="o">})</span> <span class="k">if</span> <span class="s2">"already exists"</span> <span class="k">in </span>response.text: print<span class="o">(</span>f<span class="s2">"Found user: {username}"</span><span class="o">)</span> <span class="c"># 🎯 Confirmed account!</span> </code></pre> </div> <h3> The Solution: Generic Error Messages </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># βœ… SECURE CODE </span><span class="k">if</span> <span class="n">existing_user</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Registration failed. Please check your information and try again.</span><span class="sh">"</span> <span class="p">)</span> <span class="k">if</span> <span class="n">existing_email</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">400</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Registration failed. Please check your information and try again.</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p>Now both errors look identical. The attacker can't tell if the username exists, the email exists, or something else is wrong.</p> <h2> πŸ”‘ Medium Priority: Session Management </h2> <h3> The Problem </h3> <p>My original logout was client-side only:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// πŸ’€ VULNERABLE CODE</span> <span class="kd">function</span> <span class="nf">logout</span><span class="p">()</span> <span class="p">{</span> <span class="nx">user</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">null</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">mtg_user</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// Token still valid on server! 😱</span> <span class="p">}</span> </code></pre> </div> <p><strong>What could go wrong?</strong></p> <ol> <li>User logs out</li> <li>Attacker steals token from browser history/logs</li> <li>Token works forever! πŸ€¦β€β™‚οΈ</li> </ol> <h3> The Solution: Server-Side Token Invalidation </h3> <p><strong>Backend token management:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># src/persistence/user_db.py </span><span class="k">def</span> <span class="nf">regenerate_auth_token</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">Regenerate auth token for a user (invalidates old token).</span><span class="sh">"""</span> <span class="kn">import</span> <span class="n">secrets</span> <span class="n">new_token</span> <span class="o">=</span> <span class="n">secrets</span><span class="p">.</span><span class="nf">token_urlsafe</span><span class="p">(</span><span class="mi">32</span><span class="p">)</span> <span class="k">with</span> <span class="n">self</span><span class="p">.</span><span class="nf">_get_connection</span><span class="p">()</span> <span class="k">as</span> <span class="n">conn</span><span class="p">:</span> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="p">.</span><span class="nf">cursor</span><span class="p">()</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"""</span><span class="s"> UPDATE users SET auth_token = ? WHERE id = ? </span><span class="sh">"""</span><span class="p">,</span> <span class="p">(</span><span class="n">new_token</span><span class="p">,</span> <span class="n">user_id</span><span class="p">))</span> <span class="n">conn</span><span class="p">.</span><span class="nf">commit</span><span class="p">()</span> <span class="k">return</span> <span class="n">new_token</span> <span class="k">def</span> <span class="nf">invalidate_token</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Invalidate a specific auth token by regenerating it.</span><span class="sh">"""</span> <span class="n">user</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">get_user_by_token</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">new_token</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">regenerate_auth_token</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="k">return</span> <span class="n">new_token</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> </code></pre> </div> <p><strong>New logout endpoint:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/api/auth.py </span><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/logout</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">logout</span><span class="p">(</span><span class="n">authorization</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Header</span><span class="p">(</span><span class="bp">None</span><span class="p">)):</span> <span class="sh">"""</span><span class="s">Logout and invalidate the current auth token.</span><span class="sh">"""</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">authorization</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">No authorization header</span><span class="sh">"</span><span class="p">)</span> <span class="n">auth_token</span> <span class="o">=</span> <span class="n">authorization</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">Bearer </span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="n">user_db</span> <span class="o">=</span> <span class="nf">get_user_database</span><span class="p">()</span> <span class="n">success</span> <span class="o">=</span> <span class="n">user_db</span><span class="p">.</span><span class="nf">invalidate_token</span><span class="p">(</span><span class="n">auth_token</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Logged out successfully</span><span class="sh">"</span><span class="p">}</span> </code></pre> </div> <p><strong>Frontend integration:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// βœ… SECURE CODE</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">logout</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">user</span><span class="p">.</span><span class="nx">value</span><span class="p">?.</span><span class="nx">auth_token</span> <span class="c1">// Call backend logout endpoint</span> <span class="k">if </span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nf">apiEndpoint</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/auth/logout</span><span class="dl">'</span><span class="p">),</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span> <span class="p">},</span> <span class="p">})</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">[AUTH] Server-side logout successful</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">[AUTH] Server-side logout failed:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Client-side cleanup</span> <span class="nx">user</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">null</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">removeItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">mtg_user</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Password changes also invalidate sessions:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/change-password</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">5/15minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">change_password</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">change_request</span><span class="p">:</span> <span class="n">ChangePasswordRequest</span><span class="p">,</span> <span class="n">authorization</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="nc">Header</span><span class="p">(</span><span class="bp">None</span><span class="p">)):</span> <span class="sh">"""</span><span class="s">Change password for authenticated user, invalidates all other sessions.</span><span class="sh">"""</span> <span class="c1"># Verify current password </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">User</span><span class="p">.</span><span class="nf">verify_password</span><span class="p">(</span><span class="n">change_request</span><span class="p">.</span><span class="n">current_password</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="n">password_hash</span><span class="p">):</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Current password is incorrect</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Update password and regenerate token (invalidates old tokens) </span> <span class="n">success</span> <span class="o">=</span> <span class="n">user_db</span><span class="p">.</span><span class="nf">update_password</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="n">change_request</span><span class="p">.</span><span class="n">new_password</span><span class="p">,</span> <span class="n">regenerate_token</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># Return new token </span> <span class="n">updated_user</span> <span class="o">=</span> <span class="n">user_db</span><span class="p">.</span><span class="nf">get_user_by_id</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">auth_token</span><span class="sh">"</span><span class="p">:</span> <span class="n">updated_user</span><span class="p">.</span><span class="n">auth_token</span><span class="p">}</span> </code></pre> </div> <h2> πŸ›‘οΈ Defense in Depth: Security Headers </h2> <h3> The Problem </h3> <p>No security headers = Missing easy protection layers:</p> <ul> <li>πŸ–ΌοΈ Site could be embedded in malicious iframes (clickjacking)</li> <li>πŸ“„ MIME type sniffing vulnerabilities</li> <li>πŸ”— Referrer leakage to external sites</li> <li>🚫 No restrictions on browser features</li> </ul> <h3> The Solution: Comprehensive HTTP Headers </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/api/main.py </span><span class="nd">@app.middleware</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_security_headers</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Add security headers to all responses.</span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="c1"># Prevent clickjacking attacks </span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">X-Frame-Options</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">DENY</span><span class="sh">"</span> <span class="c1"># Prevent MIME type sniffing </span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">X-Content-Type-Options</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">nosniff</span><span class="sh">"</span> <span class="c1"># Enable XSS protection (legacy, but doesn't hurt) </span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">X-XSS-Protection</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">1; mode=block</span><span class="sh">"</span> <span class="c1"># Referrer policy - don't leak full URL to external sites </span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">Referrer-Policy</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">strict-origin-when-cross-origin</span><span class="sh">"</span> <span class="c1"># Permissions policy - restrict access to sensitive browser features </span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">Permissions-Policy</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">geolocation=(), microphone=(), camera=()</span><span class="sh">"</span> <span class="c1"># Content Security Policy - defense in depth against XSS </span> <span class="n">csp_directives</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">default-src </span><span class="sh">'</span><span class="s">self</span><span class="sh">'"</span><span class="p">,</span> <span class="sh">"</span><span class="s">script-src </span><span class="sh">'</span><span class="s">self</span><span class="sh">'</span><span class="s"> </span><span class="sh">'</span><span class="s">unsafe-inline</span><span class="sh">'</span><span class="s"> </span><span class="sh">'</span><span class="s">unsafe-eval</span><span class="sh">'"</span><span class="p">,</span> <span class="c1"># Needed for Vue </span> <span class="sh">"</span><span class="s">style-src </span><span class="sh">'</span><span class="s">self</span><span class="sh">'</span><span class="s"> </span><span class="sh">'</span><span class="s">unsafe-inline</span><span class="sh">'"</span><span class="p">,</span> <span class="sh">"</span><span class="s">img-src </span><span class="sh">'</span><span class="s">self</span><span class="sh">'</span><span class="s"> data: https:</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">font-src </span><span class="sh">'</span><span class="s">self</span><span class="sh">'</span><span class="s"> data:</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">connect-src </span><span class="sh">'</span><span class="s">self</span><span class="sh">'</span><span class="s"> https:</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">frame-ancestors </span><span class="sh">'</span><span class="s">none</span><span class="sh">'"</span><span class="p">,</span> <span class="p">]</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">Content-Security-Policy</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">; </span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">csp_directives</span><span class="p">)</span> <span class="c1"># HSTS - Force HTTPS (only in production) </span> <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">ENVIRONMENT</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span><span class="p">:</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">Strict-Transport-Security</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">max-age=31536000; includeSubDomains</span><span class="sh">"</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <p><strong>What each header does:</strong></p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Header</th> <th>Protection</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>X-Frame-Options</td> <td>Prevents iframe embedding</td> <td>Stops clickjacking attacks</td> </tr> <tr> <td>X-Content-Type-Options</td> <td>Blocks MIME sniffing</td> <td>Prevents content type confusion</td> </tr> <tr> <td>Content-Security-Policy</td> <td>Restricts resource loading</td> <td>XSS defense in depth</td> </tr> <tr> <td>Strict-Transport-Security</td> <td>Forces HTTPS</td> <td>Prevents downgrade attacks</td> </tr> <tr> <td>Referrer-Policy</td> <td>Limits referrer info</td> <td>Reduces data leakage</td> </tr> <tr> <td>Permissions-Policy</td> <td>Restricts browser APIs</td> <td>Minimizes attack surface</td> </tr> </tbody> </table></div> <h2> 🌐 Production-Safe CORS </h2> <h3> The Problem </h3> <p>Original CORS config always allowed localhost:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># πŸ’€ PROBLEMATIC CODE </span><span class="n">allowed_origins</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">http://localhost:5173</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">http://localhost:3000</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Add production URLs </span><span class="k">if</span> <span class="n">frontend_url</span><span class="p">:</span> <span class="n">allowed_origins</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">frontend_url</span><span class="p">)</span> </code></pre> </div> <p><strong>What's wrong?</strong> In production, this still allows localhost! An attacker on <code>localhost</code> could make requests to your production API.</p> <h3> The Solution: Environment-Based CORS </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># βœ… SECURE CODE </span><span class="n">is_production</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">ENVIRONMENT</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">production</span><span class="sh">"</span> <span class="n">allowed_origins</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">is_production</span><span class="p">:</span> <span class="c1"># Development: allow localhost </span> <span class="n">allowed_origins</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">http://localhost:5173</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">http://localhost:3000</span><span class="sh">"</span><span class="p">]</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sh">"</span><span class="s">Development mode: allowing localhost origins</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Add production URLs from environment variables </span><span class="n">frontend_urls</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">getenv</span><span class="p">(</span><span class="sh">"</span><span class="s">FRONTEND_URLS</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">frontend_urls</span><span class="p">:</span> <span class="n">production_urls</span> <span class="o">=</span> <span class="p">[</span><span class="n">url</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">for</span> <span class="n">url</span> <span class="ow">in</span> <span class="n">frontend_urls</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">,</span><span class="sh">"</span><span class="p">)]</span> <span class="n">allowed_origins</span><span class="p">.</span><span class="nf">extend</span><span class="p">(</span><span class="n">production_urls</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Added production frontend URLs: </span><span class="si">{</span><span class="n">production_urls</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Security check: warn if no origins configured in production </span><span class="k">if</span> <span class="n">is_production</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">allowed_origins</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sh">"</span><span class="s">⚠️ PRODUCTION: No CORS origins configured!</span><span class="sh">"</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="nf">add_middleware</span><span class="p">(</span> <span class="n">CORSMiddleware</span><span class="p">,</span> <span class="n">allow_origins</span><span class="o">=</span><span class="n">allowed_origins</span><span class="p">,</span> <span class="n">allow_credentials</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">allow_methods</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="n">allow_headers</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">*</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> </code></pre> </div> <h2> πŸ“Š The Results: Before vs After </h2> <h3> Security Score Comparison </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>BEFORE AFTER ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ πŸ”΄ XSS Vulnerability βœ… DOMPurify sanitization πŸ”΄ No Rate Limiting βœ… 12 endpoints protected 🟑 Weak Input Validation βœ… 37/37 tests passing 🟑 Username Enumeration βœ… Generic errors 🟑 Sessions Never Expire βœ… Server-side invalidation 🟑 No Security Headers βœ… 7 headers on all responses 🟑 CORS Misconfiguration βœ… Production-safe config 🟒 Missing CSRF (optional) ⏳ Future work SECURITY GRADE: D- SECURITY GRADE: A- </code></pre> </div> <h3> Quantified Improvements </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before</th> <th>After</th> <th>Improvement</th> </tr> </thead> <tbody> <tr> <td><strong>Input Validators</strong></td> <td>0</td> <td>15+</td> <td>∞%</td> </tr> <tr> <td><strong>Rate Limited Endpoints</strong></td> <td>0</td> <td>12</td> <td>∞%</td> </tr> <tr> <td><strong>Security Headers</strong></td> <td>0</td> <td>7</td> <td>∞%</td> </tr> <tr> <td><strong>XSS Vulnerabilities</strong></td> <td>3 critical</td> <td>0</td> <td>100%</td> </tr> <tr> <td><strong>Test Coverage</strong></td> <td>0%</td> <td>37/37 passing</td> <td>100%</td> </tr> <tr> <td><strong>Attack Surface</strong></td> <td>Wide open</td> <td>Minimal</td> <td>~80% reduction</td> </tr> </tbody> </table></div> <h3> Performance Impact </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Average Response Time: 45ms β†’ 48ms (+3ms) Rate Limit Check: ~1ms overhead Header Addition: ~0.5ms overhead Input Validation: ~2ms overhead Trade-off: 6% slower for 1000% more secure βœ… </code></pre> </div> <h2> πŸŽ“ Lessons Learned </h2> <h3> 1. <strong>Security is a Journey, Not a Destination</strong> </h3> <p>I didn't implement everything at once. I prioritized:</p> <ol> <li>βœ… <strong>Critical</strong> vulnerabilities (XSS) - Fixed immediately</li> <li>βœ… <strong>High</strong> priority (Rate limiting) - Fixed within days</li> <li>βœ… <strong>Medium</strong> priority (Input validation, sessions) - Fixed within weeks</li> <li>⏳ <strong>Low</strong> priority (CSRF, token expiration) - Planned for future</li> </ol> <h3> 2. <strong>Defense in Depth Works</strong> </h3> <p>Multiple layers of protection:</p> <ul> <li>Frontend sanitization (DOMPurify)</li> <li>Backend validation (Pydantic)</li> <li>Security headers (CSP, X-Frame-Options)</li> <li>Rate limiting (slowapi)</li> </ul> <p>Even if one layer fails, others catch it.</p> <h3> 3. <strong>Testing Matters</strong> </h3> <p>I wrote comprehensive tests for every security feature:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># backend/tests/test_security_validation.py </span><span class="k">def</span> <span class="nf">test_xss_prevention</span><span class="p">():</span> <span class="n">dangerous_input</span> <span class="o">=</span> <span class="sh">"</span><span class="s">&lt;script&gt;alert(</span><span class="sh">'</span><span class="s">xss</span><span class="sh">'</span><span class="s">)&lt;/script&gt;Valid text</span><span class="sh">"</span> <span class="n">result</span> <span class="o">=</span> <span class="nf">sanitize_description</span><span class="p">(</span><span class="n">dangerous_input</span><span class="p">)</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">&lt;script&gt;</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">result</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">Valid text</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">result</span> <span class="k">def</span> <span class="nf">test_rate_limiting</span><span class="p">():</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="mi">25</span><span class="p">):</span> <span class="c1"># Exceed 20/hour limit </span> <span class="n">response</span> <span class="o">=</span> <span class="nf">post_comment</span><span class="p">()</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">429</span> <span class="c1"># Too Many Requests </span></code></pre> </div> <p>37 tests gave me confidence that my fixes actually work.</p> <h3> 4. <strong>Real-World Costs</strong> </h3> <p><strong>Time investment:</strong></p> <ul> <li>Security audit: 1 hour</li> <li>Implementing fixes: ~20 hours total</li> <li>Testing: 5 hours</li> <li>Documentation: 3 hours</li> </ul> <p><strong>Total: ~29 hours</strong> to go from vulnerable to production-ready.</p> <p><strong>Worth it?</strong> Absolutely. The alternative is:</p> <ul> <li>😱 Getting hacked</li> <li>πŸ’Έ Leaked user data</li> <li>🚨 Takedown notices</li> <li>πŸ˜” Destroyed reputation</li> </ul> <h3> 5. <strong>Start Small, Stay Consistent</strong> </h3> <p>You don't need to be perfect. Start with:</p> <ol> <li>βœ… Input validation</li> <li>βœ… Rate limiting on critical endpoints</li> <li>βœ… Basic XSS protection</li> <li>βœ… Security headers</li> </ol> <p>These take ~4-6 hours and block 80% of common attacks.</p> <h2> πŸ› οΈ Tools &amp; Technologies Used </h2> <h3> Frontend </h3> <ul> <li> <strong>Vue 3</strong> - Main framework</li> <li> <strong>TypeScript</strong> - Type safety</li> <li> <strong>DOMPurify</strong> - HTML sanitization</li> <li> <strong>Pinia</strong> - State management</li> </ul> <h3> Backend </h3> <ul> <li> <strong>FastAPI</strong> - Modern Python web framework</li> <li> <strong>Pydantic</strong> - Data validation</li> <li> <strong>slowapi</strong> - Rate limiting</li> <li> <strong>SQLite</strong> - Database</li> <li> <strong>bcrypt</strong> - Password hashing</li> </ul> <h3> Testing </h3> <ul> <li> <strong>pytest</strong> - Python testing</li> <li> <strong>requests</strong> - HTTP testing</li> <li> <strong>Custom test suites</strong> - 37 security-specific tests</li> </ul> <h3> Deployment </h3> <ul> <li> <strong>Vercel</strong> - Frontend hosting</li> <li> <strong>Vercel</strong> - Backend hosting (serverless functions)</li> <li> <strong>Environment variables</strong> - Configuration management</li> </ul> <h2> πŸ“ˆ Visual Security Architecture </h2> <h3> Before: The Vulnerable Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Browser β”‚ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β”‚ No validation β”‚ No sanitization β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Vue Frontend β”‚ β”‚ v-html with β”‚ ❌ XSS vulnerable β”‚ raw AI content β”‚ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ No authentication check β”‚ No rate limiting β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ FastAPI Backend β”‚ β”‚ No validators β”‚ ❌ Accepts anything β”‚ No rate limits β”‚ ❌ Spammable β”‚ Tokens never β”‚ ❌ Permanent sessions β”‚ expire β”‚ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Database β”‚ β”‚ No constraints β”‚ ❌ Duplicate emails β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ </code></pre> </div> <h3> After: The Hardened Architecture </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Browser β”‚ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜ β”‚ πŸ›‘οΈ Security Headers β”‚ πŸ›‘οΈ CORS Protection β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Vue Frontend β”‚ β”‚ βœ… DOMPurify β”‚ β”‚ βœ… useSanitize β”‚ β”‚ βœ… Type checking β”‚ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ πŸ” Auth tokens β”‚ βœ… HTTPS only β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Security Middleware β”‚ β”‚ βœ… Rate Limiter β”‚ (100-200 req/min) β”‚ βœ… CORS Check β”‚ (prod-only origins) β”‚ βœ… Header Injection β”‚ (7 security headers) β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ FastAPI Endpoints β”‚ β”‚ βœ… Pydantic β”‚ (15+ validators) β”‚ βœ… Auth required β”‚ (token verification) β”‚ βœ… Input validation β”‚ (regex, length, format) β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Business Logic β”‚ β”‚ βœ… Token invalidationβ”‚ β”‚ βœ… Session mgmt β”‚ β”‚ βœ… bcrypt hashing β”‚ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Database β”‚ β”‚ βœ… UNIQUE constraintsβ”‚ β”‚ βœ… Parameterized SQL β”‚ β”‚ βœ… Foreign keys β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ </code></pre> </div> <h3> Request Flow with Security Layers </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User Request β†’ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Layer 1: CORS Check β”‚ ❌ Block wrong origins β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ βœ… Allowed origin β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Layer 2: Rate Limit β”‚ ❌ Block if exceeded β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ βœ… Within limits β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Layer 3: Input Valid. β”‚ ❌ Block invalid data β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ βœ… Valid input β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Layer 4: Auth Check β”‚ ❌ Block if no token β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ βœ… Valid token β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Layer 5: XSS Filter β”‚ ❌ Sanitize dangerous HTML β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ βœ… Clean content β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Layer 6: Business Logicβ”‚ Process safely β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β–Ό β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Layer 7: Security Hdrs β”‚ Add headers to response β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β–Ό User Response </code></pre> </div> <h2> 🎯 Rate Limiting Strategy Breakdown </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> RATE LIMITING TIERS ═══════════════════ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ READ OPERATIONS (Fast) β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ Browse Decks: 100/min β”‚ β”‚ β”‚ β”‚ View Deck: 200/min β”‚ β”‚ β”‚ β”‚ Get Comments: 200/min β”‚ β”‚ β”‚ β”‚ Price Lookup: 200/min β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ Reasoning: Users browse quickly, need high limit β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ WRITE OPERATIONS (Moderate) β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ Add Comment: 20/hour β”‚ β”‚ β”‚ β”‚ Rate Deck: 30/hour β”‚ β”‚ β”‚ β”‚ Submit Feedback: 20/hour β”‚ β”‚ β”‚ β”‚ Delete Comment: 30/hour β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ Reasoning: Prevent spam while allowing normal use β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ SENSITIVE OPERATIONS (Strict) β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ Publish Deck: 10/hour β”‚ β”‚ β”‚ β”‚ Change Password: 5/15min β”‚ β”‚ β”‚ β”‚ Reset Password: 5/hour β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ Reasoning: Critical operations need tight control β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ Impact on Legitimate Users ═══════════════════════════ Typical usage pattern: 10 deck views, 2 comments Rate limit allows: 200 views, 20 comments Overhead: ~1ms per request User impact: None noticed Attack prevention: Massive </code></pre> </div> <h2> πŸ’‘ Key Takeaways for Your Project </h2> <h3> 1. Start with a Threat Model </h3> <p>Ask yourself:</p> <ul> <li>Who might attack my app?</li> <li>What are they trying to steal/break?</li> <li>Which endpoints are most critical?</li> </ul> <h3> 2. Prioritize Vulnerabilities </h3> <p>Use a simple matrix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> HIGH IMPACT LOW IMPACT β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” HIGH β”‚ πŸ”΄ FIX NOW 🟑 FIX SOON β”‚ PROB. β”‚ (XSS, SQL Inject) (Rate Limit)β”‚ β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€ LOW β”‚ 🟑 FIX SOON 🟒 OPTIONAL β”‚ PROB. β”‚ (Enum. Attacks) (Token Exp.)β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ </code></pre> </div> <h3> 3. Test Everything </h3> <p>Write tests for:</p> <ul> <li>βœ… Input validation edge cases</li> <li>βœ… Rate limit enforcement</li> <li>βœ… XSS prevention</li> <li>βœ… Authentication flows</li> <li>βœ… Session invalidation</li> </ul> <h3> 4. Defense in Depth </h3> <p>Never rely on one security measure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Frontend Validation ← Can be bypassed ↓ Backend Validation ← Real protection ↓ Database Constraints ← Last line of defense </code></pre> </div> <h3> 5. Monitor and Iterate </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Add logging to security-critical operations </span><span class="nd">@router.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/api/auth/login</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">login</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">LoginRequest</span><span class="p">):</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Login attempt for user: </span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="n">username</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">failed</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed login for </span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="n">username</span><span class="si">}</span><span class="s"> from </span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Successful login for </span><span class="si">{</span><span class="n">request</span><span class="p">.</span><span class="n">username</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> πŸ“š Resources for Going Deeper </h2> <h3> Security Guides </h3> <ul> <li> <a href="https://owasp.org/www-project-top-ten/" rel="noopener noreferrer">OWASP Top 10</a> - Most critical web app risks</li> <li> <a href="https://cheatsheetseries.owasp.org/" rel="noopener noreferrer">OWASP Cheat Sheet Series</a> - Practical security guidance</li> <li> <a href="https://portswigger.net/web-security" rel="noopener noreferrer">Web Security Academy</a> - Free interactive labs</li> </ul> <h3> Tools </h3> <ul> <li> <a href="https://github.com/cure53/DOMPurify" rel="noopener noreferrer">DOMPurify</a> - XSS sanitizer</li> <li> <a href="https://github.com/laurentS/slowapi" rel="noopener noreferrer">slowapi</a> - Rate limiting for FastAPI</li> <li> <a href="https://docs.pydantic.dev/" rel="noopener noreferrer">Pydantic</a> - Data validation</li> <li> <a href="https://securityheaders.com/" rel="noopener noreferrer">SecurityHeaders.com</a> - Test your headers</li> </ul> <h3> Testing </h3> <ul> <li> <a href="https://www.zaproxy.org/" rel="noopener noreferrer">OWASP ZAP</a> - Security scanner</li> <li> <a href="https://portswigger.net/burp" rel="noopener noreferrer">Burp Suite</a> - Penetration testing</li> <li> <a href="https://sqlmap.org/" rel="noopener noreferrer">SQLMap</a> - SQL injection testing</li> </ul> <h2> πŸš€ The Code </h2> <p>All the code from this article is available in my open-source project:</p> <p><strong>GitHub:</strong> <a href="https://github.com/Kagin007/mtg-deck-builder" rel="noopener noreferrer">MTG Deck Builder</a></p> <p>Key files to check out:</p> <ul> <li> <code>backend/api/main.py</code> - Security headers middleware</li> <li> <code>frontend/src/composables/useSanitize.ts</code> - XSS protection</li> <li> <code>backend/tests/test_security_validation.py</code> - Security tests</li> <li> <code>SECURITY_IMPROVEMENTS.md</code> - Full security audit documentation</li> </ul> <h2> 🎬 Conclusion </h2> <p>Securing a web application doesn't have to be overwhelming. By breaking it down into manageable pieces and tackling vulnerabilities one at a time, I transformed my hobby project from a security disaster into a production-ready application.</p> <p><strong>The investment:</strong> ~29 hours of focused work<br> <strong>The payoff:</strong> Peace of mind, user trust, and professional-grade security</p> <p><strong>Your turn:</strong> Pick one vulnerability from your own project and fix it today. Then another tomorrow. Small steps compound into significant improvements.</p> <h2> πŸ’¬ Discussion </h2> <p>What security vulnerabilities have you found in your projects? What's the most surprising security issue you've encountered?</p> <p>I'd love to hear your experiences and answer questions about implementing these security measures in your own applications.</p> <p><em>Adam Schulte is a software engineer passionate about building secure, user-friendly applications. When not coding, he's probably playing Magic: The Gathering or thinking about how to make better deck-building tools.</em></p> <p><em>Project: <a href="//www.mtgcmndr.com">MTG Deck Builder</a></em><br> <em>Connect: <a href="https://github.com/Kagin007" rel="noopener noreferrer">GitHub</a></em></p> security webdev python vue