The latest articles on DEV Community by 𝙑𝙖𝙣𝙚𝙨𝙨𝙖 𝙈𝙖𝙙𝙞𝙨𝙤𝙣 (@vanessamadison). https://dev.to/vanessamadison https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3519084%2F28ea3616-5265-425e-8d5b-0dc3be80bcb4.png https://dev.to/vanessamadison en 𝙑𝙖𝙣𝙚𝙨𝙨𝙖 𝙈𝙖𝙙𝙞𝙨𝙤𝙣 Mon, 01 Dec 2025 18:49:46 +0000 https://dev.to/vanessamadison/security-first-websockets-protecting-real-time-communications-from-attack-2j8d https://dev.to/vanessamadison/security-first-websockets-protecting-real-time-communications-from-attack-2j8d <p>WebSockets power everything from chat apps to financial tickers. But their persistent connections create unique attack surfaces that traditional HTTP security doesn't address.</p> <h3> 1. Authenticate Before Upgrading </h3> <p>Never establish WebSocket connections before verifying identity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">WebSocket</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">ws</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">wss</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">WebSocket</span><span class="p">.</span><span class="nc">Server</span><span class="p">({</span> <span class="na">noServer</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">server</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">upgrade</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">socket</span><span class="p">,</span> <span class="nx">head</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ws://localhost</span><span class="dl">'</span><span class="p">).</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">);</span> <span class="nx">wss</span><span class="p">.</span><span class="nf">handleUpgrade</span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">socket</span><span class="p">,</span> <span class="nx">head</span><span class="p">,</span> <span class="p">(</span><span class="nx">ws</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">user</span><span class="p">;</span> <span class="nx">wss</span><span class="p">.</span><span class="nf">emit</span><span class="p">(</span><span class="dl">'</span><span class="s1">connection</span><span class="dl">'</span><span class="p">,</span> <span class="nx">ws</span><span class="p">,</span> <span class="nx">request</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="dl">'</span><span class="s1">HTTP/1.1 401 Unauthorized</span><span class="se">\r\n\r\n</span><span class="dl">'</span><span class="p">);</span> <span class="nx">socket</span><span class="p">.</span><span class="nf">destroy</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h3> 2. Rate Limit Messages per Connection </h3> <p>Prevent abuse through message-level rate limiting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nc">RateLimitedWebSocket</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">ws</span><span class="p">,</span> <span class="nx">maxMessages</span> <span class="o">=</span> <span class="mi">50</span><span class="p">,</span> <span class="nx">windowMs</span> <span class="o">=</span> <span class="mi">60000</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">ws</span> <span class="o">=</span> <span class="nx">ws</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">messages</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">this</span><span class="p">.</span><span class="nx">maxMessages</span> <span class="o">=</span> <span class="nx">maxMessages</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">windowMs</span> <span class="o">=</span> <span class="nx">windowMs</span><span class="p">;</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">this</span><span class="p">.</span><span class="nf">handleMessage</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="p">}</span> <span class="nf">handleMessage</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">messages</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">t</span> <span class="o">=&gt;</span> <span class="nx">now</span> <span class="o">-</span> <span class="nx">t</span> <span class="o">&lt;</span> <span class="k">this</span><span class="p">.</span><span class="nx">windowMs</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;=</span> <span class="k">this</span><span class="p">.</span><span class="nx">maxMessages</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rate limit exceeded</span><span class="dl">'</span><span class="p">,</span> <span class="na">retryAfter</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">windowMs</span> <span class="o">/</span> <span class="mi">1000</span> <span class="p">}));</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">this</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">now</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nf">processMessage</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">}</span> <span class="nf">processMessage</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Your message handling logic</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">wss</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connection</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">ws</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">new</span> <span class="nc">RateLimitedWebSocket</span><span class="p">(</span><span class="nx">ws</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> 3. Validate and Sanitize All Messages </h3> <p>Treat WebSocket data like any other user input:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">Joi</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">joi</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">messageSchema</span> <span class="o">=</span> <span class="nx">Joi</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="nx">Joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">valid</span><span class="p">(</span><span class="dl">'</span><span class="s1">chat</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">typing</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">reaction</span><span class="dl">'</span><span class="p">).</span><span class="nf">required</span><span class="p">(),</span> <span class="na">content</span><span class="p">:</span> <span class="nx">Joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">max</span><span class="p">(</span><span class="mi">1000</span><span class="p">).</span><span class="nf">required</span><span class="p">(),</span> <span class="na">roomId</span><span class="p">:</span> <span class="nx">Joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">uuid</span><span class="p">().</span><span class="nf">required</span><span class="p">()</span> <span class="p">});</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">rawData</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">message</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">rawData</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span><span class="p">,</span> <span class="nx">value</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">messageSchema</span><span class="p">.</span><span class="nf">validate</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid message format</span><span class="dl">'</span> <span class="p">}));</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Verify user has access to room</span> <span class="kd">const</span> <span class="nx">hasAccess</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">checkRoomAccess</span><span class="p">(</span><span class="nx">ws</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">value</span><span class="p">.</span><span class="nx">roomId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hasAccess</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Access denied</span><span class="dl">'</span> <span class="p">}));</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">await</span> <span class="nf">broadcastToRoom</span><span class="p">(</span><span class="nx">value</span><span class="p">.</span><span class="nx">roomId</span><span class="p">,</span> <span class="nx">value</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Message processing failed</span><span class="dl">'</span> <span class="p">}));</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h3> 4. Implement Connection Timeouts </h3> <p>Prevent resource exhaustion from abandoned connections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">setupHeartbeat</span><span class="p">(</span><span class="nx">ws</span><span class="p">,</span> <span class="nx">interval</span> <span class="o">=</span> <span class="mi">30000</span><span class="p">,</span> <span class="nx">timeout</span> <span class="o">=</span> <span class="mi">5000</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">isAlive</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">pong</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">isAlive</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">heartbeat</span> <span class="o">=</span> <span class="nf">setInterval</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isAlive</span><span class="p">)</span> <span class="p">{</span> <span class="nf">clearInterval</span><span class="p">(</span><span class="nx">heartbeat</span><span class="p">);</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">terminate</span><span class="p">();</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">isAlive</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">ping</span><span class="p">();</span> <span class="p">},</span> <span class="nx">interval</span><span class="p">);</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">close</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">clearInterval</span><span class="p">(</span><span class="nx">heartbeat</span><span class="p">));</span> <span class="p">}</span> <span class="nx">wss</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connection</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">ws</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setupHeartbeat</span><span class="p">(</span><span class="nx">ws</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> 5. Secure Message Broadcasting </h3> <p>Ensure messages only reach authorized recipients:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nc">SecureRoom</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">roomId</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">roomId</span> <span class="o">=</span> <span class="nx">roomId</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">connections</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">addConnection</span><span class="p">(</span><span class="nx">ws</span><span class="p">,</span> <span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">permissions</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUserRoomPermissions</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">roomId</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">connections</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">ws</span><span class="p">,</span> <span class="p">{</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">permissions</span> <span class="p">});</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">close</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="k">this</span><span class="p">.</span><span class="nx">connections</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">ws</span><span class="p">));</span> <span class="p">}</span> <span class="nf">broadcast</span><span class="p">(</span><span class="nx">message</span><span class="p">,</span> <span class="nx">requiredPermission</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">read</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="p">[</span><span class="nx">ws</span><span class="p">,</span> <span class="p">{</span> <span class="nx">permissions</span> <span class="p">}]</span> <span class="k">of</span> <span class="k">this</span><span class="p">.</span><span class="nx">connections</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">permissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">requiredPermission</span><span class="p">))</span> <span class="p">{</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">payload</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>WebSockets operate outside the request-response paradigm. Traditional middleware doesn't apply, you need specialized security patterns for persistent connections.</p> </blockquote> <p><strong>Thanks for reading!</strong> How do you secure real-time features in your applications?</p> <p><strong>Building real-time systems that don't compromise on security?</strong> Let's collaborate: <a href="https://illapex.com" rel="noopener noreferrer">ILLAPEX</a></p> security backend javascript node 𝙑𝙖𝙣𝙚𝙨𝙨𝙖 𝙈𝙖𝙙𝙞𝙨𝙤𝙣 Thu, 16 Oct 2025 05:44:56 +0000 https://dev.to/vanessamadison/authentication-flows-implementing-secure-session-management-35m9 https://dev.to/vanessamadison/authentication-flows-implementing-secure-session-management-35m9 <p>Sessions are the bridge between stateless HTTP and stateful user identity. Get them wrong, and attackers hijack accounts, escalate privileges, and impersonate users. Secure sessions require careful architecture: token generation, rotation, revocation, and validation at every step.</p> <h2> 1. Generate Cryptographically Secure Tokens </h2> <p>Weak tokens are predictable. Use libraries designed for token generation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">generateSessionToken</span><span class="p">()</span> <span class="p">{</span> <span class="c1">// Cryptographically secure random token</span> <span class="kd">const</span> <span class="nx">randomToken</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// JWT with short expiration</span> <span class="kd">const</span> <span class="nx">jwtToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">token</span><span class="p">:</span> <span class="nx">randomToken</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1h</span><span class="dl">'</span> <span class="p">}</span> <span class="p">);</span> <span class="k">return</span> <span class="nx">jwtToken</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> 2. Use Refresh Token Rotation </h2> <p>Access tokens are short-lived. Refresh tokens should rotate with every use, invalidating the old one.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/refresh</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="c1">// Verify and decode</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_SECRET</span><span class="p">);</span> <span class="c1">// Check if token is in the revocation list</span> <span class="k">if </span><span class="p">(</span><span class="nf">isRevoked</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Refresh token revoked</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Issue new tokens</span> <span class="kd">const</span> <span class="nx">newAccessToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">newRefreshToken</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span> <span class="p">},</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REFRESH_SECRET</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">7d</span><span class="dl">'</span> <span class="p">});</span> <span class="c1">// Revoke old refresh token</span> <span class="nf">revokeToken</span><span class="p">(</span><span class="nx">refreshToken</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">accessToken</span><span class="p">:</span> <span class="nx">newAccessToken</span><span class="p">,</span> <span class="na">refreshToken</span><span class="p">:</span> <span class="nx">newRefreshToken</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> 3. Store Sessions Securely </h2> <p>If using server-side sessions, store them encrypted and indexed for fast lookup.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">Redis</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">ioredis</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">redis</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Redis</span><span class="p">({</span> <span class="na">password</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_PASSWORD</span> <span class="p">});</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">storeSession</span><span class="p">(</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">metadata</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sessionId</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">sessionData</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">userId</span><span class="p">,</span> <span class="na">createdAt</span><span class="p">:</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">(),</span> <span class="p">...</span><span class="nx">metadata</span> <span class="p">});</span> <span class="c1">// Store with TTL (1 hour)</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">setex</span><span class="p">(</span><span class="s2">`session:</span><span class="p">${</span><span class="nx">sessionId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="mi">3600</span><span class="p">,</span> <span class="nx">sessionData</span><span class="p">);</span> <span class="k">return</span> <span class="nx">sessionId</span><span class="p">;</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">validateSession</span><span class="p">(</span><span class="nx">sessionId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`session:</span><span class="p">${</span><span class="nx">sessionId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">data</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 4. Implement Secure HttpOnly Cookies </h2> <p>Store tokens in httpOnly, secure cookies that can't be accessed by JavaScript. Combine with CSRF protection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Authenticate user...</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nf">generateSessionToken</span><span class="p">();</span> <span class="nx">res</span><span class="p">.</span><span class="nf">cookie</span><span class="p">(</span><span class="dl">'</span><span class="s1">sessionToken</span><span class="dl">'</span><span class="p">,</span> <span class="nx">token</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Strict</span><span class="dl">'</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">1000</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="c1">// 1 hour</span> <span class="p">});</span> <span class="c1">// Include CSRF token in response body</span> <span class="kd">const</span> <span class="nx">csrfToken</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">csrfToken</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> 5. Detect and Respond to Session Anomalies </h2> <p>Log session events and alert on suspicious patterns: multiple IPs, unusual locations, or rapid token refresh.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">validateSessionIntegrity</span><span class="p">(</span><span class="nx">sessionId</span><span class="p">,</span> <span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="s2">`session:</span><span class="p">${</span><span class="nx">sessionId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">current</span> <span class="o">=</span> <span class="p">{</span> <span class="na">ip</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">user-agent</span><span class="dl">'</span><span class="p">]</span> <span class="p">};</span> <span class="c1">// Check for suspicious changes</span> <span class="k">if </span><span class="p">(</span><span class="nx">session</span><span class="p">.</span><span class="nx">ip</span> <span class="o">!==</span> <span class="nx">current</span><span class="p">.</span><span class="nx">ip</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="s2">`Session hijack attempt: </span><span class="p">${</span><span class="nx">sessionId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">current</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">del</span><span class="p">(</span><span class="s2">`session:</span><span class="p">${</span><span class="nx">sessionId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Thanks for reading!</strong> If this post was insightful for you, please share it with your team or leave a comment with your own security wins.</p> <p>Sessions are the keys to your users' accounts. Protect them like you'd protect your own.</p> <p><strong><em>With token rotation, secure storage, and anomaly detection, session management becomes a fortress rather than a liability.</em></strong></p> <p>Build session security with us: <a href="https://illapex.com" rel="noopener noreferrer">ILLAPEX</a></p> security webdev node 𝙑𝙖𝙣𝙚𝙨𝙨𝙖 𝙈𝙖𝙙𝙞𝙨𝙤𝙣 Thu, 16 Oct 2025 05:31:07 +0000 https://dev.to/vanessamadison/secrets-management-keeping-api-keys-and-credentials-safe-140h https://dev.to/vanessamadison/secrets-management-keeping-api-keys-and-credentials-safe-140h <p>Hard-coded secrets are the most dangerous vulnerability. They're committed to version control, leaked in logs, exposed in error messages, and stolen in supply chain attacks. Proper secrets management means treating credentials as infrastructure, not code.</p> <h2> 1. Use Environment Variables, Not Hardcoded Values </h2> <p>Environment variables are the bare minimum, but they're not foolproof.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Vulnerable</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">sk_live_abc123xyz789</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nf">postgres</span><span class="p">(</span><span class="s2">`postgresql://</span><span class="p">${</span><span class="nx">apiKey</span><span class="p">}</span><span class="s2">@host`</span><span class="p">);</span> <span class="c1">// Better</span> <span class="kd">const</span> <span class="nx">apiKey</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_KEY</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="nf">postgres</span><span class="p">(</span><span class="s2">`postgresql://</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_USER</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_PASSWORD</span><span class="p">}</span><span class="s2">@</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_HOST</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// Validate on startup</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_KEY</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">API_KEY environment variable is required</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> 2. Never Commit <code>.env</code> Files </h2> <p>Use <code>.gitignore</code> to exclude environment files, and provide <code>.env.example</code> templates.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># .gitignore .env .env.local .env.*.local *.log </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># .env.example (commit this) DATABASE_URL=postgresql://user:password@localhost:5432/mydb API_KEY=change-me JWT_SECRET=change-me </code></pre> </div> <h2> 3. Use Dedicated Secrets Management Services </h2> <p>Tools like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault provide encryption, rotation, and audit logging.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">AWS</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">secretsManager</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SecretsManager</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="dl">'</span><span class="s1">us-east-1</span><span class="dl">'</span> <span class="p">});</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getSecret</span><span class="p">(</span><span class="nx">secretName</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">secretsManager</span><span class="p">.</span><span class="nf">getSecretValue</span><span class="p">({</span> <span class="na">SecretId</span><span class="p">:</span> <span class="nx">secretName</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">SecretString</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`Failed to retrieve secret: </span><span class="p">${</span><span class="nx">secretName</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">err</span><span class="p">);</span> <span class="k">throw</span> <span class="nx">err</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">dbPassword</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getSecret</span><span class="p">(</span><span class="dl">'</span><span class="s1">prod/db-password</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h2> 4. Implement Secret Rotation </h2> <p>Rotate secrets regularly to limit the damage from compromised credentials. Automate this with your secrets manager.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// AWS Lambda function to rotate RDS password</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sm</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SecretsManager</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">rds</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">RDS</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">SecretString</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newPassword</span> <span class="o">=</span> <span class="nf">generateSecurePassword</span><span class="p">();</span> <span class="c1">// Update RDS password</span> <span class="k">await</span> <span class="nx">rds</span><span class="p">.</span><span class="nf">modifyDBInstance</span><span class="p">({</span> <span class="na">DBInstanceIdentifier</span><span class="p">:</span> <span class="dl">'</span><span class="s1">prod-db</span><span class="dl">'</span><span class="p">,</span> <span class="na">MasterUserPassword</span><span class="p">:</span> <span class="nx">newPassword</span><span class="p">,</span> <span class="na">ApplyImmediately</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="c1">// Update secret</span> <span class="k">await</span> <span class="nx">sm</span><span class="p">.</span><span class="nf">updateSecret</span><span class="p">({</span> <span class="na">SecretId</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">ClientRequestToken</span><span class="p">,</span> <span class="na">SecretString</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="p">...</span><span class="nx">secret</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">newPassword</span> <span class="p">})</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="p">};</span> </code></pre> </div> <h2> 5. Monitor Secret Access </h2> <p>Log every access to secrets. Unusual access patterns (off-hours, multiple services, rapid requests) are red flags.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">getSecret</span><span class="p">(</span><span class="nx">secretName</span><span class="p">,</span> <span class="nx">context</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auditLog</span> <span class="o">=</span> <span class="p">{</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SECRET_ACCESS</span><span class="dl">'</span><span class="p">,</span> <span class="nx">secretName</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SERVICE_NAME</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="na">requestId</span><span class="p">:</span> <span class="nx">context</span><span class="p">.</span><span class="nx">requestId</span><span class="p">,</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nx">context</span><span class="p">.</span><span class="nx">ipAddress</span> <span class="p">};</span> <span class="k">await</span> <span class="nx">auditLogger</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">auditLog</span><span class="p">);</span> <span class="k">return</span> <span class="nx">secretsManager</span><span class="p">.</span><span class="nf">getSecretValue</span><span class="p">({</span> <span class="na">SecretId</span><span class="p">:</span> <span class="nx">secretName</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h2> 6. Separate Secrets by Environment </h2> <p>Production secrets should never be accessible to development environments, and vice versa.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">getSecretPath</span><span class="p">(</span><span class="nx">env</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">validEnvs</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">staging</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">validEnvs</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">env</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Invalid environment: </span><span class="p">${</span><span class="nx">env</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">env</span><span class="p">}</span><span class="s2">/secrets`</span><span class="p">;</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">secrets</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">secretsManager</span><span class="p">.</span><span class="nf">getSecretValue</span><span class="p">({</span> <span class="na">SecretId</span><span class="p">:</span> <span class="nf">getSecretPath</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span><span class="p">)</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> </code></pre> </div> <p><strong>Thanks for reading!</strong> If this post was insightful for you, please share it with your team or leave a comment with your own security wins.</p> <p>Secrets in code are like leaving your keys in the door. The attack isn't a matter of <em>if</em>, but <em>when</em>.</p> <blockquote> <p>With proper secrets management, rotation, and monitoring, credentials become a controlled asset rather than a liability.</p> </blockquote> <p><strong><em>I help teams build zero-trust secrets infrastructure that scales from startup to enterprise.</em></strong></p> <p>Secure your credentials today: <a href="https://illapex.com" rel="noopener noreferrer">ILLAPEX</a></p> security devops cloud api 𝙑𝙖𝙣𝙚𝙨𝙨𝙖 𝙈𝙖𝙙𝙞𝙨𝙤𝙣 Wed, 08 Oct 2025 03:34:43 +0000 https://dev.to/vanessamadison/graphql-security-protecting-queries-and-mutations-36ak https://dev.to/vanessamadison/graphql-security-protecting-queries-and-mutations-36ak <p>GraphQL's flexibility is powerful—until attackers exploit it. Without proper defenses, queries can expose the entire schema, mutations can bypass validation, and resolvers can leak sensitive data. Securing GraphQL means defending at every layer: schema, query, and resolver.</p> <h2> 1. Validate and Limit Query Complexity </h2> <p>Unrestricted queries invite <strong>query bombs</strong>—attackers craft deeply nested queries that exhaust server resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">buildSchema</span><span class="p">,</span> <span class="nx">graphql</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createComplexityLimitMiddleware</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql-query-complexity</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">middleware</span> <span class="o">=</span> <span class="nf">createComplexityLimitMiddleware</span><span class="p">({</span> <span class="na">maximumComplexity</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">variables</span><span class="p">:</span> <span class="p">{},</span> <span class="na">onComplete</span><span class="p">:</span> <span class="p">(</span><span class="nx">complexity</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Query complexity: </span><span class="p">${</span><span class="nx">complexity</span><span class="p">}</span><span class="s2">`</span><span class="p">),</span> <span class="na">createError</span><span class="p">:</span> <span class="p">(</span><span class="nx">max</span><span class="p">,</span> <span class="nx">actual</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Query too complex: </span><span class="p">${</span><span class="nx">actual</span><span class="p">}</span><span class="s2"> &gt; </span><span class="p">${</span><span class="nx">max</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/graphql</span><span class="dl">'</span><span class="p">,</span> <span class="nx">middleware</span><span class="p">);</span> </code></pre> </div> <h2> 2. Authenticate and Authorize Mutations </h2> <p>Every mutation is a write operation. Enforce role-based access and validate permissions before executing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">resolvers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Mutation</span><span class="p">:</span> <span class="p">{</span> <span class="na">updateUser</span><span class="p">:</span> <span class="p">(</span><span class="nx">parent</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="nx">context</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">context</span><span class="p">.</span><span class="nx">user</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">context</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="o">!==</span> <span class="nx">args</span><span class="p">.</span><span class="nx">userId</span> <span class="o">&amp;&amp;</span> <span class="nx">context</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">role</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">ADMIN</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Forbidden: Cannot modify other users</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">db</span><span class="p">.</span><span class="nx">users</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">args</span><span class="p">.</span><span class="nx">data</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> 3. Hide Sensitive Fields from Schema </h2> <p>Introspection leaks your entire schema. Disable it in production and control field visibility per role.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">apollo</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ApolloServer</span><span class="p">({</span> <span class="nx">typeDefs</span><span class="p">,</span> <span class="nx">resolvers</span><span class="p">,</span> <span class="na">introspection</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="na">context</span><span class="p">:</span> <span class="p">({</span> <span class="nx">req</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">user</span><span class="p">:</span> <span class="nf">verifyToken</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">),</span> <span class="na">isIntrospectionAllowed</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span> <span class="p">})</span> <span class="p">});</span> </code></pre> </div> <h2> 4. Sanitize Resolver Arguments </h2> <p>User input in mutations should be treated as hostile until proven otherwise.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">validator</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">validator</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">resolvers</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Mutation</span><span class="p">:</span> <span class="p">{</span> <span class="na">createPost</span><span class="p">:</span> <span class="p">(</span><span class="nx">parent</span><span class="p">,</span> <span class="nx">args</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sanitized</span> <span class="o">=</span> <span class="p">{</span> <span class="na">title</span><span class="p">:</span> <span class="nx">validator</span><span class="p">.</span><span class="nf">escape</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">title</span><span class="p">),</span> <span class="na">content</span><span class="p">:</span> <span class="nx">validator</span><span class="p">.</span><span class="nf">trim</span><span class="p">(</span><span class="nx">args</span><span class="p">.</span><span class="nx">content</span><span class="p">),</span> <span class="na">tags</span><span class="p">:</span> <span class="nx">args</span><span class="p">.</span><span class="nx">tags</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">t</span> <span class="o">=&gt;</span> <span class="nx">validator</span><span class="p">.</span><span class="nf">escape</span><span class="p">(</span><span class="nx">t</span><span class="p">))</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">db</span><span class="p">.</span><span class="nx">posts</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">sanitized</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> 5. Rate Limit Per User </h2> <p>Prevent mutations from being used as attack vectors by enforcing per-user rate limits.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">rateLimit</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">graphql-rate-limit</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">rateLimitDirective</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">10</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">typeDefs</span> <span class="o">=</span> <span class="s2">` type Mutation { createPost(title: String!): Post @rateLimit(window: "15m", limit: 10) } `</span><span class="p">;</span> </code></pre> </div> <p>GraphQL's power comes from its precision. That same precision must apply to security.</p> <blockquote> <p>With proper validation, complexity limits, and role-based access, GraphQL becomes a secure foundation for modern APIs.</p> </blockquote> <p><strong>Thanks for reading!</strong> If this post helped you understand GraphQL security patterns, please share it with your team or leave a comment with your own security wins.</p> <p><strong><em>I help teams implement GraphQL architectures that balance flexibility with bulletproof security.</em></strong></p> <p>Explore more: <a href="https://illapex.com" rel="noopener noreferrer">ILLAPEX</a></p> security node webdev graphql 𝙑𝙖𝙣𝙚𝙨𝙨𝙖 𝙈𝙖𝙙𝙞𝙨𝙤𝙣 Sun, 21 Sep 2025 07:26:15 +0000 https://dev.to/vanessamadison/database-security-patterns-for-web-applications-3gdn https://dev.to/vanessamadison/database-security-patterns-for-web-applications-3gdn <p>Databases are the crown jewels of any system. One injection flaw, and attackers can walk away with everything. Protecting this layer requires multiple, overlapping defenses. </p> <h2> 1. Parameterize Queries </h2> <p>Never concatenate strings into queries. Use parameterized statements and prepared queries.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Vulnerable</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="s2">`SELECT * FROM users WHERE email = '</span><span class="p">${</span><span class="nx">email</span><span class="p">}</span><span class="s2">'`</span><span class="p">);</span> <span class="c1">// Secure</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">SELECT * FROM users WHERE email = ?</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">email</span><span class="p">]);</span> </code></pre> </div> <h2> 2. Role-Based Access Control (RBAC) </h2> <p>Map DB roles to application permissions. A reporting service should not be able to <code>DELETE</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Create role-specific database users</span> <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">app_read_only</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">ROLE</span> <span class="n">app_write_user</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">SELECT</span> <span class="k">ON</span> <span class="n">users</span> <span class="k">TO</span> <span class="n">app_read_only</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">SELECT</span><span class="p">,</span> <span class="k">INSERT</span><span class="p">,</span> <span class="k">UPDATE</span> <span class="k">ON</span> <span class="n">users</span> <span class="k">TO</span> <span class="n">app_write_user</span><span class="p">;</span> </code></pre> </div> <h2> 3. Encrypt Sensitive Fields </h2> <p>Passwords are hashed, but fields like SSN, phone numbers, and tokens should be encrypted with AES-256-GCM or similar.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="kd">function</span> <span class="nf">encrypt</span><span class="p">(</span><span class="nx">text</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">iv</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">16</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cipher</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createCipheriv</span><span class="p">(</span><span class="dl">'</span><span class="s1">aes-256-gcm</span><span class="dl">'</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ENCRYPTION_KEY</span><span class="p">,</span> <span class="nx">iv</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">encrypted</span> <span class="o">=</span> <span class="nx">cipher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">text</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="nx">encrypted</span> <span class="o">+=</span> <span class="nx">cipher</span><span class="p">.</span><span class="nf">final</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">tag</span> <span class="o">=</span> <span class="nx">cipher</span><span class="p">.</span><span class="nf">getAuthTag</span><span class="p">().</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">iv</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)}</span><span class="s2">:</span><span class="p">${</span><span class="nx">tag</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">encrypted</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> 4. Monitor Access </h2> <p>Audit logs reveal <em>who accessed what, when, and how often</em>. Unusual activity should raise alarms.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Example PostgreSQL auditing extension</span> <span class="k">CREATE</span> <span class="n">EXTENSION</span> <span class="n">pgaudit</span><span class="p">;</span> <span class="k">ALTER</span> <span class="k">SYSTEM</span> <span class="k">SET</span> <span class="n">pgaudit</span><span class="p">.</span><span class="n">log</span> <span class="o">=</span> <span class="s1">'write, ddl'</span><span class="p">;</span> </code></pre> </div> <h2> 5. Build Defense in Depth </h2> <p>Application validation, role isolation, encryption, and monitoring together create true resilience. </p> <blockquote> <p>Databases demand <em>respect and paranoia</em>. A secure schema is the difference between integrity and irreversible breach. </p> </blockquote> <p><strong>Thanks for reading!</strong> If this post was insightful for you, please share it with your team or leave a comment with your own security wins.</p> <p><em><strong>I help teams architect databases that resist both casual attacks and advanced threats.</strong></em> </p> <p>Curious? Explore how: <a href="https://illapex.com" rel="noopener noreferrer">ILLAPEX</a></p> database security sql backend 𝙑𝙖𝙣𝙚𝙨𝙨𝙖 𝙈𝙖𝙙𝙞𝙨𝙤𝙣 Sun, 21 Sep 2025 07:19:29 +0000 https://dev.to/vanessamadison/aws-security-best-practices-for-production-applications-25e9 https://dev.to/vanessamadison/aws-security-best-practices-for-production-applications-25e9 <p>AWS can scale your business overnight — or expose it if misconfigured. From IAM sprawl to open S3 buckets, mistakes are common. Security in AWS requires <em>defense in depth</em>. </p> <h2> 1. IAM as the First Line </h2> <ul> <li>Favor <em>least privilege</em> roles </li> <li>Avoid all-powerful <code>AdministratorAccess</code> policies </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-app-bucket/user-uploads/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"s3:x-amz-server-side-encryption"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws:kms"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 2. VPC for Layered Defense </h2> <ul> <li>Public subnets for entry points </li> <li>Private subnets for app and database tiers </li> <li>Restrictive security groups between layers </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AppSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">Application tier security group</span> <span class="na">VpcId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">VPC</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">SourceSecurityGroupId</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">LoadBalancerSecurityGroup</span> </code></pre> </div> <h2> 3. Encrypt at Rest and in Transit </h2> <ul> <li>KMS for S3 and RDS </li> <li>SSL enforcement on databases </li> <li>TLS for all APIs </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">s3</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">S3</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="p">{</span> <span class="na">Bucket</span><span class="p">:</span> <span class="dl">'</span><span class="s1">secure-bucket</span><span class="dl">'</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">data.json</span><span class="dl">'</span><span class="p">,</span> <span class="na">Body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}),</span> <span class="na">ServerSideEncryption</span><span class="p">:</span> <span class="dl">'</span><span class="s1">aws:kms</span><span class="dl">'</span><span class="p">,</span> <span class="na">SSEKMSKeyId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">KMS_KEY_ID</span> <span class="p">};</span> <span class="k">await</span> <span class="nx">s3</span><span class="p">.</span><span class="nf">upload</span><span class="p">(</span><span class="nx">params</span><span class="p">).</span><span class="nf">promise</span><span class="p">();</span> </code></pre> </div> <h2> 4. Monitor and Detect </h2> <ul> <li>CloudTrail for audit logs </li> <li>CloudWatch alarms for anomalies </li> <li>GuardDuty for threat detection </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">CloudTrail</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::CloudTrail::Trail</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">TrailName</span><span class="pi">:</span> <span class="s">my-audit-trail</span> <span class="na">S3BucketName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">AuditLogsBucket</span> <span class="na">IsMultiRegionTrail</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">EnableLogFileValidation</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <h2> 5. Manage Secrets Properly </h2> <p>Leverage <strong>Secrets Manager</strong> or <strong>SSM Parameter Store</strong> with automated rotation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">AWS</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">aws-sdk</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">sm</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AWS</span><span class="p">.</span><span class="nc">SecretsManager</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">secret</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sm</span><span class="p">.</span><span class="nf">getSecretValue</span><span class="p">({</span> <span class="na">SecretId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">prod/db-password</span><span class="dl">'</span> <span class="p">}).</span><span class="nf">promise</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">secret</span><span class="p">.</span><span class="nx">SecretString</span><span class="p">);</span> </code></pre> </div> <h2> 6. Automate Compliance </h2> <p>Use Lambda or Config Rules to detect — and remediate — insecure configurations in real time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">ec2</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">ec2</span><span class="sh">'</span><span class="p">)</span> <span class="n">sgs</span> <span class="o">=</span> <span class="n">ec2</span><span class="p">.</span><span class="nf">describe_security_groups</span><span class="p">()[</span><span class="sh">'</span><span class="s">SecurityGroups</span><span class="sh">'</span><span class="p">]</span> <span class="k">for</span> <span class="n">sg</span> <span class="ow">in</span> <span class="n">sgs</span><span class="p">:</span> <span class="k">for</span> <span class="n">rule</span> <span class="ow">in</span> <span class="n">sg</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">IpPermissions</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]):</span> <span class="k">for</span> <span class="n">ip_range</span> <span class="ow">in</span> <span class="n">rule</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">IpRanges</span><span class="sh">'</span><span class="p">,</span> <span class="p">[]):</span> <span class="k">if</span> <span class="n">ip_range</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">CidrIp</span><span class="sh">'</span><span class="p">)</span> <span class="o">==</span> <span class="sh">'</span><span class="s">0.0.0.0/0</span><span class="sh">'</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Insecure SG found: </span><span class="si">{</span><span class="n">sg</span><span class="p">[</span><span class="sh">'</span><span class="s">GroupId</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>The cloud is only as secure as the guardrails you define. </p> <blockquote> <p>With the right practices, AWS becomes not just scalable, but dependable. </p> </blockquote> <p><strong>Thanks for reading!</strong> If this post was insightful for you, please share it with your team or leave a comment with your own security wins.</p> <p><em><strong>I design AWS environments where security is baked in, not bolted on.</strong></em><br><br> See case studies and services: <a href="https://kodex.studio" rel="noopener noreferrer">kodex.studio</a></p> aws cloud security devops 𝙑𝙖𝙣𝙚𝙨𝙨𝙖 𝙈𝙖𝙙𝙞𝙨𝙤𝙣 Sun, 21 Sep 2025 07:14:28 +0000 https://dev.to/vanessamadison/implementing-zero-trust-architecture-in-nodejs-applications-5be9 https://dev.to/vanessamadison/implementing-zero-trust-architecture-in-nodejs-applications-5be9 <p>Zero-Trust is often summarized in five words: <em>never trust, always verify</em>. In Node.js, this philosophy reshapes how we treat requests, queries, and inter-service communication. </p> <h2> 1. Authenticate Every Request </h2> <p>Every API call is <em>guilty until proven innocent</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">authorization</span><span class="p">?.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">JWT_SECRET</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">decoded</span> <span class="o">||</span> <span class="o">!</span><span class="nf">hasPermission</span><span class="p">(</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">role</span><span class="p">,</span> <span class="nx">req</span><span class="p">.</span><span class="nx">route</span><span class="p">.</span><span class="nx">permission</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Insufficient permissions</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h2> 2. Harden Database Queries </h2> <p>Even trusted users can exploit weak queries. Parameterize and validate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">body</span><span class="p">(</span><span class="dl">'</span><span class="s1">userId</span><span class="dl">'</span><span class="p">).</span><span class="nf">isUUID</span><span class="p">().</span><span class="nf">escape</span><span class="p">();</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">SELECT id, email FROM users WHERE id = ?</span><span class="dl">'</span><span class="p">,</span> <span class="p">[</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">userId</span><span class="p">]);</span> </code></pre> </div> <h2> 3. Authenticate Service-to-Service Communication </h2> <p>Microservices must prove identity via <strong>mutual TLS</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">https</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">https</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fs</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">options</span> <span class="o">=</span> <span class="p">{</span> <span class="na">cert</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">client.crt</span><span class="dl">'</span><span class="p">),</span> <span class="na">key</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">client.key</span><span class="dl">'</span><span class="p">),</span> <span class="na">ca</span><span class="p">:</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="dl">'</span><span class="s1">ca.crt</span><span class="dl">'</span><span class="p">)</span> <span class="p">};</span> <span class="nx">https</span><span class="p">.</span><span class="nf">request</span><span class="p">({</span> <span class="p">...</span><span class="nx">options</span><span class="p">,</span> <span class="na">hostname</span><span class="p">:</span> <span class="dl">'</span><span class="s1">service.local</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">res</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">data</span><span class="dl">'</span><span class="p">,</span> <span class="nx">chunk</span> <span class="o">=&gt;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">chunk</span><span class="p">.</span><span class="nf">toString</span><span class="p">()));</span> <span class="p">}).</span><span class="nf">end</span><span class="p">();</span> </code></pre> </div> <h2> 4. Log with Context </h2> <p>Logs should tell the full story: <em>who acted, from where, and what happened</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">winston</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">winston</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">securityLogger</span> <span class="o">=</span> <span class="nx">winston</span><span class="p">.</span><span class="nf">createLogger</span><span class="p">({</span> <span class="na">level</span><span class="p">:</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="nx">winston</span><span class="p">.</span><span class="nx">format</span><span class="p">.</span><span class="nf">combine</span><span class="p">(</span> <span class="nx">winston</span><span class="p">.</span><span class="nx">format</span><span class="p">.</span><span class="nf">timestamp</span><span class="p">(),</span> <span class="nx">winston</span><span class="p">.</span><span class="nx">format</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="p">),</span> <span class="na">transports</span><span class="p">:</span> <span class="p">[</span><span class="k">new</span> <span class="nx">winston</span><span class="p">.</span><span class="nx">transports</span><span class="p">.</span><span class="nc">Console</span><span class="p">()]</span> <span class="p">});</span> <span class="nx">securityLogger</span><span class="p">.</span><span class="nf">info</span><span class="p">({</span> <span class="na">event</span><span class="p">:</span> <span class="dl">'</span><span class="s1">LOGIN_ATTEMPT</span><span class="dl">'</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">id</span><span class="p">,</span> <span class="na">ip</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="na">action</span><span class="p">:</span> <span class="dl">'</span><span class="s1">AUTHENTICATE</span><span class="dl">'</span><span class="p">,</span> <span class="na">result</span><span class="p">:</span> <span class="dl">'</span><span class="s1">SUCCESS</span><span class="dl">'</span> <span class="p">});</span> </code></pre> </div> <h2> 5. Validate Configuration </h2> <p>Don’t run production apps with missing secrets or weak defaults. Enforce schemas on startup with tools like Joi.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">Joi</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">joi</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">schema</span> <span class="o">=</span> <span class="nx">Joi</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">NODE_ENV</span><span class="p">:</span> <span class="nx">Joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">valid</span><span class="p">(</span><span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">).</span><span class="nf">required</span><span class="p">(),</span> <span class="na">JWT_SECRET</span><span class="p">:</span> <span class="nx">Joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nf">required</span><span class="p">(),</span> <span class="na">DB_PASSWORD</span><span class="p">:</span> <span class="nx">Joi</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">12</span><span class="p">).</span><span class="nf">required</span><span class="p">()</span> <span class="p">});</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">schema</span><span class="p">.</span><span class="nf">validate</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Configuration validation failed: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span><span class="p">);</span> </code></pre> </div> <blockquote> <p>Zero-Trust means designing systems as if they’re already under attack. Each layer enforces its own defenses, creating resilience by default. </p> </blockquote> <p><strong>Thanks for reading!</strong> If this post was insightful for you, please share it with your team or leave a comment with your own security wins.</p> <p><em><strong>I help teams implement Zero-Trust in Node.js and beyond, without slowing their delivery cycles.</strong></em> </p> <p>Let’s connect: <a href="https://illapex.com" rel="noopener noreferrer">ILLAPEX</a></p> node security backend 𝙑𝙖𝙣𝙚𝙨𝙨𝙖 𝙈𝙖𝙙𝙞𝙨𝙤𝙣 Sun, 21 Sep 2025 07:10:04 +0000 https://dev.to/vanessamadison/react-security-patterns-every-developer-should-know-8ep https://dev.to/vanessamadison/react-security-patterns-every-developer-should-know-8ep <p>Building secure React applications requires more than just following best practices—it demands understanding the specific vulnerabilities that single-page applications face and implementing defensive patterns from the start.</p> <h2> 1. Prevent Cross-Site Scripting (XSS) </h2> <p>By default, React escapes values in JSX. But shortcuts like <code>dangerouslySetInnerHTML</code> open the door to attackers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// Vulnerable</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">dangerouslySetInnerHTML</span><span class="p">=</span><span class="si">{</span><span class="p">{</span><span class="na">__html</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">bio</span><span class="p">}</span><span class="si">}</span> <span class="p">/&gt;</span> </code></pre> </div> <p>Instead, sanitize with a trusted library:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">DOMPurify</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">dompurify</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">safeBio</span> <span class="o">=</span> <span class="nx">DOMPurify</span><span class="p">.</span><span class="nf">sanitize</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">bio</span><span class="p">);</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">dangerouslySetInnerHTML</span><span class="p">=</span><span class="si">{</span><span class="p">{</span><span class="na">__html</span><span class="p">:</span> <span class="nx">safeBio</span><span class="p">}</span><span class="si">}</span> <span class="p">/&gt;</span> </code></pre> </div> <h2> 2. Treat Authentication as Sacred </h2> <p>Tokens in <code>localStorage</code> are exposed to XSS. A safer pattern is <strong>httpOnly cookies</strong> with CSRF tokens:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/login</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">'</span><span class="s1">include</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">X-CSRF-Token</span><span class="dl">'</span><span class="p">:</span> <span class="k">await</span> <span class="nf">getCSRFToken</span><span class="p">()</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">credentials</span><span class="p">)</span> <span class="p">});</span> </code></pre> </div> <h2> 3. Sanitize Props and Inputs </h2> <p>Props aren’t immune. Always validate and sanitize before rendering:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="kd">const</span> <span class="nx">cleanQuery</span> <span class="o">=</span> <span class="nx">query</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">&lt;&gt;</span><span class="se">]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">);</span> <span class="p">&lt;</span><span class="nt">h2</span><span class="p">&gt;</span>Results for: <span class="si">{</span><span class="nx">cleanQuery</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h2</span><span class="p">&gt;</span> </code></pre> </div> <h2> 4. Keep State Lean </h2> <p><em>Context and Redux should not carry secrets.</em> Expose only what the UI truly needs (permissions, IDs, roles). </p> <h2> 5. Respect Environment Configurations </h2> <p>Anything prefixed with <code>REACT_APP_</code> is visible to the client. Keep true secrets server-side, delivered through a secure API. </p> <h2> 6. Secure Headers at Deployment </h2> <p>Defend React apps at the edge by setting strict headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Strict-Transport-Security</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">max-age=31536000</span><span class="dl">'</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content-Security-Policy</span><span class="dl">'</span><span class="p">,</span> <span class="dl">"</span><span class="s2">default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'</span><span class="dl">"</span> <span class="p">);</span> </code></pre> </div> <p>Security isn’t a feature; it’s a foundation. </p> <blockquote> <p>When baked into your React components and architecture, these patterns create user trust that lasts. </p> </blockquote> <p><strong>Thanks for reading!</strong> If this post was insightful for you, please share it with your team or leave a comment with your own security wins.</p> <p><em><strong>Looking for a partner who builds React apps with security at the core?</strong></em></p> <p>See how I help teams deliver resilient frontends: <a href="https://illapex.com" rel="noopener noreferrer">ILLAPEX</a></p> react security webdev javascript