I hack websites — 10 golden rules for full-stack beginners

Warning

Photo by Markus Spiske on Unsplash

Golden Rule 1 : No API key in frontend

What should you do?

Golden Rule 2 : Centralise requests

  • Protect your API Keys: See Golden Rule 1
  • Keep your data providers secret: If you fear competitors and don’t want them to know your processes and your data providers
  • Preprocess the result: You only return what the user needs, and no sensitive information that might be returned by an external API
  • Whitelist your server IP to external API: That way, even if your API Key is stolen, a hacker can not directly call an external API pretending to be you (actually he/she can, but it’s harder)
  • Speed up operations: Users’ browsers are slower than your back-end server. There are exceptions, but let’s assume it’s a general truth: you should not perform any calculation (even formatting/concatenate…) on your visitor’s browser. It’s already a pain for them to load images, don’t mine bitcoin with a 15 year old computer!
  • Monitor: Every request going through your API can be measured and monitored. Maybe you don’t know now what you could do with this data, but one day you might need to analyse them, extract patterns, estimate growth… If all the requests are going through your server, you can record them.

Golden Rule 3: No personal data from the backend

This website displays a ranking on the right, all good 👌 But the API call returns additional data like user emails

Golden Rule 4: No personal data in JSON Web Token (JWT)

JSON Web Token can be read (easily)!

Golden Rule 5: Hash passwords — or don’t ask passwords

Passwordless authentication

Golden Rule 6: Don’t copy-paste blindly

Golden Rule 7: Don’t really know what you are doing ? Don’t Reinvent The Wheel.

Golden Rule 8: Validate all input on the backend side

Golden Rule 9: Monitor, Log and check

Golden Rule 10: Implement an API Gateway

  • Deciding specifically what routes are open to the world (even after having copy-pasted a CRUD logic with all your API entities (Golden Rule 3))
  • A default rate-limit that can easily be lowered
  • A default payload size limit (in some of them)
  • Monitoring and Logging : An API Gateway is like a toll, everything that uses your routes is logged and recorded
  • Other cool and cheesy easy stuff that make life easier

Golden Rule 11: Forget hammock

Go further?

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXNzYWdlIjoiSGV5ISBJZiB5b3Ugd2VudCB0aGF0IGZhciwgSSB0aGluayBJIGRlc2VydmUgc29tZSBjbGFwcyBvbiBNZWRpdW0hIDspIELDqXJhbmdlciJ9.gLlL1qC75B-_l3m8n98Xz9P1qYGvFgoqEvnobjCOYRU

--

--

--

Future Unicorn Founder — Using tech for good

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What is OS (Operating Systems)?

Software Equity Group April 2022 Update

April 2022 SEG SaaS Index Update

10 Key difference between object oriented programming and procedure oriented programming

Sports tokenization, smart sports contracts & NFT digital players — our litepaper

Having fun With Skybox’s in Unity

REST Resource Naming Paradigm

Functions in Julia

Quest(ions): return Holberton

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Beranger Natanelic

Beranger Natanelic

Future Unicorn Founder — Using tech for good

More from Medium

Linux Vs Windows10: 8 Reasons Why Linux Is Better

Getting started using Nmap

Nmap

Projects & promises, how to achieve them…

Everything You Need to Know About DevOps