3 days after launch, our DB CPU spiked to 100%. Logs showed a SQL Injection attack. This is a war story of how we urgently deployed AWS WAF to block the attack. I also explain Positive vs Negative Security Models and the OWASP Core Rule Set (CRS).
A comprehensive deep dive into client-side storage. From Cookies to IndexedDB and the Cache API. We explore security best practices for JWT storage (XSS vs CSRF), performance implications of synchronous APIs, and how to build offline-first applications using Service Workers.
App crashes only in Release mode? It's likely ProGuard/R8. Learn how to debug obfuscated stack traces, use `@Keep` annotations, and analyze `usage.txt`.
How to deploy without shutting down servers. Differences between Rolling, Canary, and Blue-Green. Deep dive into Database Rollback strategies, Online Schema Changes, AWS CodeDeploy integration, and Feature Toggles.
Solving server waste at dawn and crashes at lunch. Understanding Auto Scaling vs Serverless through 'Taxi Dispatch' and 'Pizza Delivery' analogies. Plus, cost-saving tips using Spot Instances.
One pattern that shows up repeatedly in security incident case studies goes like this.
Shortly after a service launch, data like this starts appearing in an order_note column:
' OR 1=1 --
'; DROP TABLE users; --
UNION SELECT 1, @@version --
A chill runs down your spine just looking at it. SQL Injection. Someone is running an automated scanner to probe the site for vulnerabilities. Even if the ORM blocks the basic attacks, logs often show over 100 requests per second, driving server CPU to 100%.
The instinct might be to block those IPs at the code level—but that still forces the server to spend resources checking each IP. The right answer is to stop them before they even reach the application server.
WAF is literally a Firewall for Web Apps. Let's use an airport analogy.
We urgently attached AWS WAF to our ALB (Load Balancer).
WAF comes with a standard set of rules called OWASP CRS. Just turning this on automatically blocks globally known attack patterns.
' OR 1=1.<script> tags./etc/passwd.The moment we applied it, the attack logs stopped dead. The overheating server CPU returned to peace.
There are two philosophies when operating a WAF.
id must be an integer" in WAF.A few days after deploying WAF, a new report comes in. A user can't complete registration.
The logs show the blocked user's nickname was "Select".
The WAF saw the word Select, thought "Is this a SQL Injection SELECT * FROM?" and blocked it. (True story).
This is a False Positive. Security so strong it treats innocent users as criminals.
Solution:nickname field").In the old days, we installed open-source WAFs like ModSecurity directly on Nginx. But today, Cloud WAF (AWS, Cloudflare) is the way to go.
Yes. To inspect the packet body, WAF must decrypt the HTTPS traffic. This is why you attach WAF to the Load Balancer (ALB) or use a CDN (Cloudflare) where the SSL termination happens.
No. WAF cannot stop Business Logic Attacks. If a hacker logs in normally and scrapes all your public data, WAF sees it as "normal traffic". You need other defenses (like Captcha or anomaly detection) for that.
Startup CTOs often say, "Is AWS WAF expensive?"
Let's do the math. AWS WAF is $5/month + $0.60 per million requests. For most startups, it costs less than two cups of coffee.
But if you get hacked? GDPR fines, loss of customer trust, engineering time for recovery... It costs millions. Your company might die.
Developers, Don't stay up all night writing Regex filters for SQL Injection. Just turn on WAF. Use that time to build features that make money. That is the smartest trade-off you can make.
If you cannot afford Cloud WAF, ModSecurity is the industry standard open-source WAF. It plugs into Nginx, Apache, and IIS. It uses the SecRule language, which is powerful but looks like cryptic regex soup.
Example Rule (Block SQL Injection):
SecRule ARGS "DELETE[[:space:]]+FROM" "id:1000,deny,msg:'SQL Injection Attempt'"
In reality, you don't write these. You download the OWASP CRS (Core Rule Set), which contains thousands of pre-written rules. Be warned: ModSecurity adds latency to every request because it has to regex-match the entire payload body. It can slow down your server by 10-20% if not tuned correctly.
Security is a cat-and-mouse game.
SeLeCt * FrOm users (Bypasses naive regex).SELECT/**/username/**/FROM (Bypasses space detection).?id=1&id=2. Some WAFs check the first id, but the backend uses the second id.Knowing these techniques helps you confirm why a "Cloud WAF" that constantly updates its engine is superior to a static static regex rule.