I hack websites — 10 golden rules for full-stack beginners


This article contains essential advice for beginners building their first web application, it also contains amateur hacking techniques that can considerably impact a web application. Use them with care, play a bit with them on others web applications but, Golden Rule 0 : “Don’t do unto others what you don’t want done unto you.”

Photo by Markus Spiske on Unsplash

Golden Rule 1 : No API key in frontend

Nope. Never. Niet. Nada.

What should you do?

Frontend : All requests to external APIs must be made by your server.

Golden Rule 2 : Centralise requests

As we saw in Golden Rule 1, all the requests involving external APIs should be made by your server.

  • Protect your API Keys: See Golden Rule 1
  • Keep your data providers secret: If you fear competitors and don’t want them to know your processes and your data providers
  • Preprocess the result: You only return what the user needs, and no sensitive information that might be returned by an external API
  • Whitelist your server IP to external API: That way, even if your API Key is stolen, a hacker can not directly call an external API pretending to be you (actually he/she can, but it’s harder)
  • Speed up operations: Users’ browsers are slower than your back-end server. There are exceptions, but let’s assume it’s a general truth: you should not perform any calculation (even formatting/concatenate…) on your visitor’s browser. It’s already a pain for them to load images, don’t mine bitcoin with a 15 year old computer!
  • Monitor: Every request going through your API can be measured and monitored. Maybe you don’t know now what you could do with this data, but one day you might need to analyse them, extract patterns, estimate growth… If all the requests are going through your server, you can record them.

Golden Rule 3: No personal data from the backend

Users’ personal data should not be visible by anyone!

This website displays a ranking on the right, all good 👌 But the API call returns additional data like user emails

Golden Rule 4: No personal data in JSON Web Token (JWT)

Yes, to create a JWT, you need a password that only you know.

JSON Web Token can be read (easily)!

JWT is used to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key.

Golden Rule 5: Hash passwords — or don’t ask passwords

This Golden Rule is obvious and, generally, it’s the first thing developers learn. Maybe because they themselves use the same password for all websites and want to evaluate the risk (high).

Passwordless authentication

Actually, that’s not totally true: I used to be a big fan of bcrypt, I now prefer passwordless authentication.

Golden Rule 6: Don’t copy-paste blindly

When beginners want to build their first API, they often follow tutorials explaining how to create, update, list, delete records.

Golden Rule 7: Don’t really know what you are doing ? Don’t Reinvent The Wheel.

Especially for a side project.

Golden Rule 8: Validate all input on the backend side

Frontend validation is not enough.

Golden Rule 9: Monitor, Log and check

I guess many fresh websites don’t have any monitoring tools set up. Because weeks after I discovered and manipulated a certain website, there were still the same breaches.

Golden Rule 10: Implement an API Gateway

Some of the previous rules are long to implement and maintain: Monitoring, Logging, Rate-limiting. Implementing an API Gateway is a great solution if you want to act fast and safely.

  • Deciding specifically what routes are open to the world (even after having copy-pasted a CRUD logic with all your API entities (Golden Rule 3))
  • A default rate-limit that can easily be lowered
  • A default payload size limit (in some of them)
  • Monitoring and Logging : An API Gateway is like a toll, everything that uses your routes is logged and recorded
  • Other cool and cheesy easy stuff that make life easier

Golden Rule 11: Forget hammock

Security is a daily work, depending on the size of your audience, you should spend anywhere between a few hours to days verifying that everything is working well, reading logs, investigating to find suspect behavior.

Go further?

This list is only a subset of the best practices when developing a web application. Some Golden Rules listed here solve some of the OWASP’s Top 10 for web vulnerabilities but partially and not all of them. These Golden Rules will help beginners to build a more secure application but the work only starts here! I would love to have experts’ feedback to improve this article and correct it!




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Beranger Natanelic

Beranger Natanelic

Future Unicorn Founder — Using tech for good