We Should Care More About Web App Security

Show Notes

1. Intro

Quick summary of why security matters—especially for indie/full-stack devs
- Why AI makes this even more important
16 Billion user credentials/passwords have been leaked in a recent exposure
Outline what the episode will cover: walking through a simple app and breaking down security risks at each layer

2. The Sample App

Example: A basic SaaS note-taking app (Next.js + tRPC + Prisma + PostgreSQL)
Authenticated users can:
- Register/Login
- Create, edit, and delete notes
- Share notes via a public link

3. Frontend Vulnerabilities

Attack Surface:
- Inputs (forms, query params, cookies, URLs)
Risks:
- XSS (e.g., displaying note content with <script> tags)
- CSRF (Cross-site request forgery) (if using traditional cookies)
- Clickjacking (if public notes are embeddable)
Mitigations:
- Sanitize inputs/output (DOMPurify, sanitize-html)
- Set CSP (Content Security Policy) headers
- Use SameSite cookies or CSRF tokens
- Set X-Frame-Options: DENY

4. API/Backend Vulnerabilities

Attack Surface:
- HTTP endpoints (tRPC procedures, REST routes)
Risks:
- Broken auth (e.g., sharing unprotected endpoints)
- Insecure direct object references (IDOR)
- Rate limiting issues
Mitigations:
- Authorization checks in every endpoint (e.g., note.ownerId === ctx.user.id)
- Avoid exposing sequential IDs
- Use middleware to enforce access controls
- Add rate limiting (e.g., @upstash/ratelimit, Redis)
  - Rate limits should be carefully placed with the right windows

5. Database Layer

Attack Surface:
- Prisma queries, ORM methods
Risks:
- SQL injection (less common with Prisma, but still possible with raw queries)
- Overly permissive queries
Mitigations:
- Always use parameterized queries
- Avoid raw SQL unless necessary
- Validate and sanitize user inputs before use

6. Auth & Session Management

Attack Surface:
- Login forms, tokens, cookies
Risks:
- Token leakage
- Insecure cookie settings
- JWT tampering (if poorly implemented)
Mitigations:
- Store tokens securely (e.g., HTTPOnly cookies)
- Rotate tokens often, use refresh token pattern
- Sign JWTs with strong secrets and validate expiration
- Don’t use passwords, or if you do make sure they are
  - stored hashed and encrypted
  - long enough to be unbruteforceable

7. Public Link Sharing

Risks:
- Enumeration attacks (guessing note IDs)
- Leaked private data (if access controls aren't enforced)
Mitigations:
- Use UUIDs or hashed slugs
- Set expiration or one-time access on links

8. Hosting & Deployment

Attack Surface:
- Environment variables, server config
Risks:
- Exposed .env files
- Verbose error messages in production
Mitigations:
- Use .env.production properly, don’t commit secrets
- Custom error handling middleware
- Disable stack traces in production

9. Conclusion

Recap the biggest areas devs often miss
Encourage listeners to:
- Use security checklists (OWASP, etc.)
- Use automated tools (e.g., Snyk, ZAP, Prisma’s schema validation)
- Think in layers: frontend, backend, storage, deploy

How to support the show

Patreon

Prices subject to change and are listed in USD

Support the show from as little as ~$1/month
Get a shoutout at the end of the episode (while supplies last) for just ~$3/month
Help support the HTML All The Things Podcast: Click Here

Scrimba Discount - Coding Courses!

Learn to code using Scrimba with their interactive follow-along code editor.

Join their exclusive discord communities and network to find your first job!

Use our affiliate link for a 20% discount!!

Click the link to take you to the Scrimba site
A pop-up should appear on your screen with the discount amount and instructions on how to claim it
Discount is for new accounts only

We receive a monetary kickback if you use our affiliate link and make a purchase.