Writing about development and technology.
CSP is the last line of defense that stops XSS scripts from executing even if injected. Directive syntax, nonce approach, Next.js config, and a safe rollout strategy — all covered.
From injection and broken auth to XSS and the newest threats — OWASP Top 10 broken down with real code examples and practical mitigations for each vulnerability.
Understanding SSRF attack principles and defense methods through practical experience
I found my website running inside an iframe on a shady domain. I dive deep into 6 essential security headers (HSTS, X-Frame-Options, CSP, Permissions-Policy, etc.) to stop Clickjacking and XSS, with implementation guides for Nginx and Next.js.
Redirecting HTTP to HTTPS isn't enough to secure your users. You are still vulnerable to Man-in-the-Middle (MITM) attacks during that first split-second redirect. Learn how HSTS (HTTP Strict Transport Security) forces browsers to use HTTPS automatically, closing that critical security gap.
3 days after launch, our DB CPU spiked to 100%. Logs showed a SQL Injection attack. This is a war story of how we urgently deployed AWS WAF to block the attack. I also explain Positive vs Negative Security Models and the OWASP Core Rule Set (CRS).
I share how I hacked my friend's website with a single line of SQL Injection in high school. I explain the OWASP Top 10 vulnerabilities every developer must know allowing you to 'think like a hacker'. I focus on Injection, Broken Access Control (IDOR), Cryptographic Failures, and Security Misconfiguration.
How I lost my data due to a simple SQL Injection. Why Prepared Statements are the only silver bullet and if ORMs are truly safe.
My admin account was hijacked because of a single comment on the board. I dive deep into the 3 types of XSS (Stored, Reflected, DOM) and concrete defense strategies in React/Next.js environments, including HTML Escaping, CSP, and Cookie Security.
I thought adding a 'Login with Google' button would be easy. Instead, I faced Redirect URI errors, State parameters, and HTTPS issues. I share the 4-step 'dance' of OAuth 2.0, practical solutions with NextAuth.js, and how to handle mobile deep linking.
Clarifying the confusion between login and permission checks through real security incidents and the 'Airport Security' analogy. Deep dive into JWT structure, OAuth 2.0, and Authentication strategies in Microservices.
DDoS attacks are getting smarter and larger. This guide breaks down the anatomy of an attack, distinguishing between volumetic (L3/L4) and application layer (L7) assaults. Learn how enterprise defenses like Anycast networks, scrubbers, and intelligent rate limiting protect modern infrastructure.
A deep dive into one of the oldest and most dangerous software vulnerabilities. How rewriting the Return Address works, and how modern OS protections like ASLR, DEP/NX, and Stack Canaries attempt to stop it.
