Inspired by BulletProof React, I applied its codebase architecture concepts to the Umami codebase.
This article focuses only on the security best practices used in Umami codebase.
You might be wondering:
What is Umami?
What are security best practices?
Let’s find out.
What is Umami?
Umami is an open-source, privacy-focused web analytics tool that serves as an alternative to Google Analytics. It provides essential insights into website traffic, user behavior, and performance, all while prioritizing data privacy.
Unlike many traditional analytics platforms, Umami does not collect or store personal data, avoiding the need for cookies, and is GDPR and PECR compliant.
Designed to be lightweight and easy to set up, Umami can be self-hosted, giving users full control over their data.
A detailed getting started guide can be found at umami.is/docs.
Quickstart
To get Umami up and running you will need to:
I pulled the above information from the Umami docs.
What are security best practices?
In the context of a web application, I find this Bulletproof React’s security.md helpful. This document focuses on:
Authentication
You could either use Cookies or localStorage to store the JWT token. It is recommended to put this token in the cookies with httpOnly enabled.
Authorization
You can authorise a user two ways:
Role based access control
Permission based access control
We will apply these concepts to the Umami codebase and get an understanding about how authentication and authroization are implemented.
In the next article, we will review how the authentication is implemented in the Umami codebase.
About me:
Hey, my name is Ramu Narasinga. I study codebase architecture in large open-source projects.
Email: ramu.narasinga@gmail.com
I spent 200+ hours analyzing Supabase, shadcn/ui, LobeChat. Found the patterns that separate AI slop from production code. Stop refactoring AI slop. Start with proven patterns. Check out production-grade projects at thinkthroo.com
Top comments (0)