📘 PART V (j) — Fullstack Security for Seniors (Threat Modeling, OWASP-by-Pattern)
SECTION 0 — SECURITY IS A SYSTEM PROPERTY
Senior engineers don’t “add security.”
They design so insecure states are hard to reach.
SECTION 1 — THREAT MODELING (LIGHTWEIGHT, REPEATABLE)
For any feature, answer:
-
what are the assets? (accounts, money, data)
-
who are the attackers? (anon, user, insider)
-
what are the entry points? (API, UI, webhooks, uploads)
-
what’s the worst-case impact?
Output:
-
top 5 threats
-
mitigations
-
residual risk
SECTION 2 — OWASP BY PATTERN (WHAT SENIORS ACTUALLY APPLY)
XSS
-
output encoding
-
avoid dangerouslySetInnerHTML
-
CSP
-
keep secrets out of JS (HttpOnly cookies)
CSRF
-
SameSite cookies
-
CSRF tokens for unsafe methods
-
Origin/Referer checks
CORS
-
explicit allow-list
-
never with credentials
SSRF
-
avoid server-side fetch of user-provided URLs
-
egress allow-list + DNS/IP protections
Injection
-
parameterized queries
-
validate inputs
Secrets / supply chain
-
don’t commit secrets
-
dependency scanning
-
minimal permissions
SECTION 3 — SECURE-BY-DEFAULT API/UI PATTERNS
-
cookie vs token: prefer cookie (HttpOnly) for web refresh tokens
-
short-lived access tokens
-
least privilege scopes
-
audit logs for privileged actions
-
rate limits on auth + abuse endpoints
SECTION 4 — COMMON FLOWS: WHAT TO CHECK
-
Auth: session fixation, token replay, refresh storms
-
Uploads: validate magic bytes, scan before serving, signed URLs
-
Webhooks: signature verify, replay protect, idempotent handlers
-
Admin tools: strict authZ, strong auditing
SECTION 5 — EXERCISES
-
Threat model your upload flow.
-
Write CSRF defenses for your auth scheme.
-
Define webhook verification + replay protection.