Category
Security & Best Practices
6 articles on security & best practices.
The OWASP Top 10 for Full-Stack Developers in 2026
The OWASP Top 10 is still the baseline for web security. A full-stack, code-first walk through each risk and the concrete fix in a modern JS/TS app.
npm Supply Chain Attacks: How to Protect Your Codebase in 2026
npm supply chain attacks are now relentless. Here's the practical, senior-engineer playbook to harden your install, CI, and build pipeline in 2026.
JWT vs Session Cookies in 2026: Stop Getting Auth Wrong
The JWT-everywhere trend caused a decade of broken auth. Here is the honest tradeoff between stateless tokens and session cookies, and what I reach for.
Rate Limiting Strategies for APIs: Token Bucket, Sliding Window, and Where to Enforce It
Rate limiting is your API seatbelt. A practical comparison of fixed window, sliding window, and token bucket, with where in the stack to enforce each.
Secrets Management: Stop Shipping API Keys in .env
A .env file is where secrets go to leak. The progression from .env to platform vars to secret managers to OIDC, and how to stop committing keys for good.
CORS, CSRF, and the Same-Origin Policy, Explained
CORS, CSRF, and the same-origin policy get confused constantly. They solve different problems. A clear, code-first explanation of what each one actually does.