DEV Community: Om Prakash Tiwari

Axios Compromise: What Happened, Why It Matters, and What We Should Do Next

Om Prakash Tiwari — Wed, 01 Apr 2026 01:26:01 +0000

e point), it’s time to pause and rethink.

Recently, concerns around dependency trust, supply chain attacks, and package compromise scenarios have once again highlighted a harsh truth:

Your biggest vulnerability might not be your code — it’s your dependencies.

🚨 The Problem: Axios and the Supply Chain Risk

Axios itself isn’t “evil” — but the ecosystem around it makes it risky.

Here’s the real issue:

Axios is a third-party abstraction over HTTP
It pulls in dependencies (direct or indirect)
It’s updated frequently, often without deep audits in most projects
It runs in highly sensitive contexts (auth headers, tokens, cookies)

Now imagine this:

A malicious update gets published
Or a dependency inside Axios gets compromised
Or your lockfile gets bypassed

Suddenly:

Your Authorization headers can be intercepted
Your requests can be modified
Your data can be exfiltrated silently

This isn’t hypothetical — supply chain attacks have already hit major packages in the JS ecosystem.

And the worst part?

You won’t even notice until it’s too late.

⚠️ Why Axios is Risky in Critical Systems

From my perspective, the problem isn’t just Axios — it’s over-abstraction.

Axios introduces:

Hidden request transformations
Interceptors that can be globally hijacked
Silent behavior changes across versions
Extra surface area for bugs or exploits

Compare that with native fetch:

Built-in
Minimal
Transparent
No dependency risk

When you're handling:

JWT tokens
Session management
Internal APIs

You cannot afford hidden layers.

✅ The Solution: Own Your API Layer

Instead of relying on external libraries, I strongly recommend:

Build your own API abstraction layer using native fetch.

That’s exactly what I do.

Here’s the approach I use 👇

🧠 My API Class Strategy

I created a custom API class that:

1. Centralizes all API calls

No scattered requests across the app.

2. Handles authentication automatically

const token = localStorage.getItem('token');

3. Injects headers safely

const defaultHeaders = {
  'Content-Type': 'application/json',
  ...(token && { Authorization: `Bearer ${token}` }),
};

4. Handles token invalidation securely

if (
  response.status === 401 ||
  errorMessage.includes('token expired') ||
  errorMessage.includes('jwt malformed')
) {
  localStorage.removeItem('token');
}

5. Supports FormData without breaking headers

if (body instanceof FormData) {
  delete mergedHeaders['Content-Type'];
}

6. Emits global error events

document.dispatchEvent(
  new CustomEvent('error-received', { detail: { status, message } })
);

7. Provides clean method wrappers

api.get('/users')
api.post('/login', data)
api.put('/profile', data)

💡 Why This Is Better Than Axios

Here’s the real advantage:

🔒 Security

No third-party interception layer
No dependency injection risk
Full control over request lifecycle

🧩 Transparency

You know exactly what’s happening
No hidden interceptors
No magic transformations

⚡ Performance

No extra abstraction overhead
Native browser optimization

🛠 Flexibility

Add custom logic anytime
Extend without fighting a library

🧠 Developer Mindset Shift

We need to stop thinking:

“Which library should I use?”

And start thinking:

“Do I even need a library for this?”

For something as critical as API calls:

Simplicity beats abstraction
Control beats convenience
Native beats dependency

🚀 Final Take

I’m not saying Axios is unusable.

I’m saying:

It’s not worth the risk in security-critical systems.

If your app:

Handles authentication
Talks to internal APIs
Processes sensitive data

Then you should strongly consider:

👉 Dropping Axios
👉 Using native fetch
👉 Building your own API layer (like the one above)

Why I switched Back to Cookie

Om Prakash Tiwari — Thu, 15 Jan 2026 02:46:48 +0000

At some point, most developers go through this phase where cookies feel ancient.
Like table layouts or jQuery—“we’ve moved on from that, right?”

I thought the same.
I moved away from cookies… and then slowly, painfully, came back.

Here’s why.

Cookies: Great Until They Weren’t

In the beginning, cookies were easy.
They just worked.

But then reality hit:

document.cookie

Anyone with JavaScript access could read them.
One XSS bug and boom—your auth token is gone.

That was enough for me to say:
“Nope. Cookies are unsafe.”

So I left.

Session Storage: Felt Safer, Wasn’t

Next, I tried sessionStorage.

The logic was simple:

Tab closes → data gone
Less persistence → less risk

But guess what?

JavaScript can still read it
XSS still wins
Accidentally close the tab → user logged out

Security-wise, it wasn’t better.
UX-wise, it was worse.

Local Storage: Convenient but Dangerous

Then came localStorage.

Persistent. Simple. Popular.

Also:

Fully readable by JavaScript
A gold mine for XSS attacks
Tokens just sitting there, waiting to be stolen

At this point I realized something uncomfortable:

Every solution I tried had the same weakness.

The Real Problem Was JavaScript Access

It finally clicked.

The issue wasn’t:

cookies
session storage
local storage

The issue was this:

If JavaScript can read your token, attackers can too.

So instead of finding new storage, I went back to the old one—
but used it correctly.

Cookies, Take Two (HttpOnly This Time)

This time, I used cookies with rules:

HttpOnly
Secure
SameSite
HTTPS only

Now:

JavaScript can’t touch the token
XSS can’t steal it
Browser sends it automatically
Backend stays clean and predictable

Suddenly… cookies made sense again.

The Irony

After all the modern solutions, I ended up with:

Better security
Cleaner auth flow
Less frontend complexity

Using something that existed all along.

Turns out cookies weren’t bad.
We were just using them wrong.

Final Thought

Security isn’t about what’s trendy.
It’s about what attackers can’t access.

And right now?
A properly configured HttpOnly cookie is one of the hardest places to steal from.

So yeah—I switched back to cookies.

Web Development in Docker Containers Using Express.js

Om Prakash Tiwari — Wed, 06 Nov 2024 04:43:51 +0000

In today’s fast-paced development landscape, containerization has emerged as a game-changing approach for web developers, providing environments that are consistent, portable, and easy to manage. Docker, the most popular containerization platform, enables developers to create and manage containers easily, making development and deployment smoother. Combining Docker with Node.js frameworks like Express.js brings further agility to web development, allowing developers to create, test, and deploy web applications with ease.

In this article, we’ll explore how to set up and develop an Express.js application inside a Docker container, focusing on the advantages it brings to web development.

Why Use Docker for Web Development?

Docker encapsulates the application's dependencies within a container, which means:

Consistency across environments: Docker containers run the same way on any system that has Docker installed, eliminating "it works on my machine" issues.
Isolation: Docker provides an isolated environment for your application, ensuring that it doesn’t interfere with other applications.
Scalability and Deployment: Containers allow easy scaling and deployment, making it simple to expand applications horizontally.

For web development using Express.js, Docker ensures that Node.js and any other dependencies (like databases or libraries) are correctly configured within an environment separate from the host system.

Setting Up an Express.js Application in Docker

Let's dive into the steps required to set up and run an Express.js application inside a Docker container.

Step 1: Initialize an Express.js Application

First, create a basic Express.js application. If you don’t have it installed globally, you can run:

npx express-generator myapp
cd myapp

This creates a basic folder structure and a few default files for an Express.js app. Next, install any necessary dependencies:

npm install

Step 2: Write a Dockerfile

A Dockerfile defines the environment and instructions needed to set up and run your application. Here’s an example Dockerfile for an Express.js application:

# Use an official Node.js image as the base
FROM node:latest AS development

# Create and set the working directory inside the container
WORKDIR /app

# Copy package.json and package-lock.json files to the container
COPY package*.json ./

# Install dependencies
RUN npm install

# Copy the entire application code to the container
COPY . .

# Expose the port the app runs on
EXPOSE 3000

# Run the application
CMD ["npm", "start"]

Step 3: Create a Docker Compose File (Optional)

If your application has multiple services (e.g., a database), docker-compose.yml helps define and manage them. Here’s a sample docker-compose.yml file:

services:
  app:
    build: .
    ports:
      - "3000:3000"
    volumes:
      - .:/app
      - /app/node_modules
    environment:
      - NODE_ENV=development

Step 4: Build and Run the Docker Container

To create a container for your application, open a terminal in the application’s root directory (where the Dockerfile is located) and run:

docker build -t express-app .

Then, to run the container, use:

docker run -p 3000:3000 express-app

The application should now be accessible at http://localhost:3000.

Step 5: Developing with Live Reloading

By default, Docker doesn’t support live reloading (where changes in code are automatically reflected). However, you can achieve this with the help of nodemon, a tool that watches for file changes and restarts the server automatically.

First, install nodemon as a development dependency:

npm install --save-dev nodemon

Then, update the Dockerfile to set NODE_ENV to development and update the start command:

# Install nodemon globally
RUN npm install -g nodemon

# Run the application using nodemon
CMD ["nodemon", "bin/www"]

Or if you're using docker-compose.yml, you can specify the command directly in it:

command: nodemon bin/www

This setup enables live reloading, which is highly beneficial during development as it saves time and enhances productivity.

Step 6: Managing Dependencies with Docker Volumes

To avoid issues where dependencies are rebuilt each time, use Docker volumes to mount the local file system’s source code into the container.

In docker-compose.yml:

volumes:
  - .:/app
  - /app/node_modules

This configuration syncs your code between the host and container, but it doesn’t override the node_modules folder.

Step 7: Debugging Inside Docker

Docker provides various options for debugging. You can add DEBUG flags to your application to increase logging verbosity or use Docker’s own logging and monitoring commands:

docker logs -f <container-id>

Step 8: Dockerizing for Production

When moving to production, there are additional steps for optimization, such as:

Using multi-stage builds to reduce image size.
Setting up environment-specific configurations.
Adding security measures, like scanning for vulnerabilities. An example of a multi-stage build Dockerfile:

# Stage 1: Build the dependencies
FROM node:20 AS build
WORKDIR /app
COPY package*.json ./
RUN npm install --production
COPY . .

# Stage 2: Use a lightweight base for production
FROM node:20-slim
WORKDIR /app
COPY --from=build /app .
EXPOSE 3000
CMD ["node", "bin/www"]

Advantages of Developing with Express.js in Docker
Developing an Express.js application in Docker has significant advantages:

Platform Consistency: The Docker container standardizes your environment across all stages, from development to production.
Simplified Dependencies: By encapsulating dependencies, you eliminate complex installations on your local machine. Rapid Scaling: Containers allow you to scale applications horizontally by deploying additional instances. Effortless Collaboration: Sharing a Dockerfile or docker-compose.yml ensures that teammates work in the exact environment. ## Best Practices
Keep Docker Images Small: Use multi-stage builds to minimize image size and improve performance. Use Environment Variables for Configuration: Avoid hard-coding configurations to keep the container environment-agnostic.
Leverage Volumes: Utilize Docker volumes for storing data or syncing code in development.
Automate with CI/CD: Incorporate Docker into CI/CD pipelines for consistent and automated deployment across environments. ## Conclusion Dockerizing your Express.js application provides a scalable and robust solution for web development. By using Docker, you gain better control over environments, simplify dependency management, and improve collaboration, all of which are critical for modern web development. Whether you’re working on a simple application or a complex system with multiple services, Docker provides tools that can streamline your workflow and set your project up for success in production.

Get started with Docker and Express.js today to see how it can transform your development experience!

Develop your code online using vscode-tunnel

Om Prakash Tiwari — Wed, 06 Nov 2024 04:25:44 +0000

Introduction

It has been a great hastle to work in teams on same project without having a good infrastructure. It has been observed that we (frontend/backend developers) generate multiple versions of code on different machines and sometimes older code is pushed again on the repository breaking some changes causing bugs in some running component/feature. While development on a "on premise development server" becomes a great hastle and difficult to mange. The Production server cannot have option to install a test version of the code and share to developers due to security issues.

VS Code has came with a feature called remote development and has introduced vscode-tunnel to allow developers share code between machnines. This is very helpful if we are working in the same network with single github account or taking paid plans from microsoft to manage multiple accounts in the same tunnel.

While working on this issue, we have developed a docker image to create vscode tunnel using a single line of code.

How to use

To install docker, based on your operating system, follow instructions at https://docs.docker.com/engine/install/
Now open command prompt and run following command:

# Replace /path/to/sourcecode to path as in your computer
docker run -d -v /path/to/sourcecode:/home/node/workspace --name vscode-tunnel-server optiwariindia/vscode-tunnel

After starting this container open Logs for the container using command below:

  docker logs vscode-tunnel-server

This will return some instructions that you can follow to connect it with your github account.

To access the code open vscode.dev and select "Connect to tunnel" button and follow instructions.
Once connected to tunnel, click on "Open folder" and select your workspace work.

Deepawali, the Festival of Lights

Om Prakash Tiwari — Thu, 31 Oct 2024 11:32:48 +0000

Deepawali, the Festival of Lights, is one of the most significant and joyous festivals celebrated in India. It is a festival that symbolizes the victory of light over darkness, good over evil, and knowledge over ignorance. Deepawali is a five-day festival that starts with Dhanteras, followed by Chhoti Deepawali, Badi Deepawali, Govardhan Puja, and ends with Bhai Dooj. Each day of this festival holds its own significance and is celebrated with unique traditions and rituals.

Dhanteras

Dhanteras marks the beginning of the Deepawali celebrations. It is considered an auspicious day to make new purchases, especially gold and silver, as it is believed to bring wealth and prosperity. The legend associated with Dhanteras is that of a young prince whose life was threatened by a venomous snake on the 13th day of the dark fortnight of the Hindu month of Kartik. To protect the prince, his mother placed a pile of precious metals and jewels in front of his door. The snake was mesmerized by the glittering treasure and did not harm the prince. Since then, Dhanteras has been celebrated as the day to purchase precious metals and to worship Goddess Lakshmi, the goddess of wealth.

Chhoti Deepawali

Chhoti Deepawali, also known as Naraka Chaturdashi, is the second day of the Deepawali celebrations. On this day, people clean their homes and workplaces to welcome Goddess Lakshmi. They also decorate their homes with diyas (earthen lamps) and rangoli (colorful floor designs). The legend associated with Chhoti Deepawali is that of Lord Krishna defeating the demon Narakasura. It is believed that Lord Krishna killed Narakasura on this day, and to commemorate his victory, people celebrate Chhoti Deepawali.

Badi Deepawali

Badi Deepawali is the main day of the Deepawali celebrations. On this day, people light diyas and candles in their homes and workplaces to symbolize the victory of light over darkness. They also worship Goddess Lakshmi and Lord Ganesha to seek their blessings for wealth, prosperity, and wisdom. The legend associated with Badi Deepawali is that of Lord Rama returning to Ayodhya after defeating Ravana. It is believed that the people of Ayodhya lit diyas to welcome Lord Rama and his wife Sita.

Govardhan Puja

Govardhan Puja is celebrated on the fourth day of Deepawali. On this day, people worship Mount Govardhan, which is considered to be a symbol of nature and the provider of sustenance. The legend associated with Govardhan Puja is that of Lord Krishna lifting Mount Govardhan to protect the people of Braj from the wrath of Indra, the god of rain.

Bhai Dooj

Bhai Dooj is the last day of the Deepawali celebrations. On this day, sisters apply tilak to their brothers' foreheads and pray for their long life and prosperity. In return, brothers give gifts to their sisters. The legend associated with Bhai Dooj is that of Yamraj, the god of death, visiting his sister Yami on this day. Yami welcomed her brother with love and affection, and Yamraj was so pleased that he promised to protect her brother. Since then, Bhai Dooj has been celebrated as a day to strengthen the bond between siblings.

Deepawali is a festival that brings joy, happiness, and prosperity to the lives of people. It is a time to celebrate the triumph of good over evil and to strengthen family bonds. The stories and legends associated with Deepawali teach us the importance of values like courage, compassion, and devotion.

PHP Developer with Twig knowledge can start expressjs project with twig in few moment

Om Prakash Tiwari — Mon, 01 Aug 2022 08:06:00 +0000

The Background

As a PHP Developer I was used to work with twig template engine like most of the PHP Developers. I found the twig engine is supported by express js as well and also my teammates were using this extensively. I have decied to use the same template engine for my projects.

Starting the first project

If you are from PHP Background and using twig template engine, and want to switch to express js, then you can follow the below steps to download the boilerplate code for express and setup your project automatically.

Install nodejs (Latest version) from https://nodejs.org/en/download/ (the official website)
Open Command prompt (Windows) or Terminal (Mac/Linux) and run the following command:

npx start-express [project-name]
```
-- [project-name] is the name of your project.
```
This will generate a directory with your project name and add essentials into it.
Open the directory in your text editor.
Run the following command to start the server in development mode:

npm run devstart
You can now access your project in your browser on port 3000.

A readme file is also generated for more information. You can go through it for more details.