I hack websites — 10 golden rules for full-stack beginners


Photo by Markus Spiske on Unsplash

Golden Rule 1 : No API key in frontend

Golden Rule 2 : Centralise requests

Golden Rule 3: No personal data from the backend

This website displays a ranking on the right, all good 👌 But the API call returns additional data like user emails

Golden Rule 4: No personal data in JSON Web Token (JWT)

JSON Web Token can be read (easily)!

JWT is used to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key.

Golden Rule 5: Hash passwords — or don’t ask passwords

Golden Rule 6: Don’t copy-paste blindly

Golden Rule 7: Don’t really know what you are doing ? Don’t Reinvent The Wheel.

Golden Rule 8: Validate all input on the backend side

Golden Rule 9: Monitor, Log and check

Golden Rule 10: Implement an API Gateway

Golden Rule 11: Forget hammock

Go further?




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store