
Security Checklist for Full Stack Web Developers - benthehenten
https://blog.logrocket.com/security-for-fullstack-web-developers-part-1-a56340283f7c
======
cl0rkster
I'm not sure that logrocket belongs on such a "security" checklist. While I
understand the value that they propose to offer, I'm not sure that wholesale
recording your users' sessions and then sending them to a third-party server
for storage and retrieval really meshes with my idea of security - especially
if the site contains PII. I fully understand that you can intentionally do
work to hide that information from logrocket, but that is putting a lot of
trust in both devs and in logrocket to get that one right.

While there may be such a tool, I'm not aware of something like this that runs
as a first party script and uses local storage. It would indeed be very useful
to escape the logs->screenshots->can't reproduce cycle mentioned.

~~~
benthehenten
I'm on the LogRocket team.

Your concern is fair, though many modern analytics tools can capture PII if
not properly configured. It is important when using any such tools, including
LogRocket, that developers understand the scope of the data collected and
properly censor things like SSN, Credit Cards, or health data.

Some of our more security-conscious customers also just run LogRocket on their
own servers with our self-hosted version. In this case, the script becomes
first party, and they can configure behavior where no data leaves the client
unless a user specifically gives permission.

~~~
cl0rkster
That is awesome to hear that there is a self-hosted version. I was reading
through your docs hoping to find something like that. Is there somewhere on
your site that I missed which gives more details about this?

~~~
benthehenten
So far, we've worked with a few larger customers to run LogRocket on their own
infrastructure (or their own AWS environment in some cases), but we haven't
publicized the specifics yet.

If you shoot me an email (ben at logrocket) I'd be happy to discuss in more
detail :)

------
flavio81
TL;DR: The advice is:

 _" use Open source software", "add logging", "set all pages to HTTPS"_ and
follow a _" top 10 list of the most critical security threats"_

Sad state of things.

The concept of having your work done by "Full Stack Developer" will not be
nice for opening up potential security holes, in my opinion.

Additionally, I don't think there exists a real "Full Stack" dev, and I'm not
alone in this opinion; click anywhere:

[https://medium.com/swlh/the-full-stack-developer-is-a-
myth-4...](https://medium.com/swlh/the-full-stack-developer-is-a-
myth-4e3fb9c25867)

[https://news.ycombinator.com/item?id=10182936](https://news.ycombinator.com/item?id=10182936)

[http://andyshora.com/full-stack-developers.html](http://andyshora.com/full-
stack-developers.html)

[https://frontendmasters.com/books/front-end-
handbook/2017/pr...](https://frontendmasters.com/books/front-end-
handbook/2017/practice/myth.html)

[https://vitamintalent.com/blog/the-myth-of-the-full-stack-
de...](https://vitamintalent.com/blog/the-myth-of-the-full-stack-developer)

[https://techcrunch.com/2014/11/08/the-rise-and-fall-of-
the-f...](https://techcrunch.com/2014/11/08/the-rise-and-fall-of-the-full-
stack-developer/)

[https://www.propelrr.com/blog/ux/full-stack-web-
developer.ht...](https://www.propelrr.com/blog/ux/full-stack-web-
developer.html)

~~~
anarchy8
Not every company can afford to have a person dedicated to security. No full
stack developer is a complete generalist -- everyone specializes naturally.
The point is that they are comfortable doing a wide range of tasks. For some
people that might make more sense.

~~~
flavio81
> Not every company can afford to have a person dedicated to security

But even in a team of 2 people you can have a good front-end developer and a
good back-end developer.

------
gandreani
> In Node, if you use Express (find out in the next article why you shouldn’t
> , but most people do)

Now that's just mean. Why can't he just say it there!

~~~
rawnlq
Some more links that are express specific:

[https://expressjs.com/en/advanced/best-practice-
security.htm...](https://expressjs.com/en/advanced/best-practice-
security.html)

[https://blog.risingstack.com/node-js-security-
checklist/](https://blog.risingstack.com/node-js-security-checklist/)

I am also curious to know what's wrong with express.

