
Ask HN: How do develop a secure web application? - mariksolo
I&#x27;ve recently been using node and Java Spring so I can learn how to build fully-fledged web apps. One of my side projects is an API that has to be secure because it has access to private data. I used JWTs for authentication but I&#x27;m not sure if it is actually secure.<p>When developing a product, how do you build and test it so that user information is protected, your APIs can&#x27;t be abused etc.? Where do you learn this information so you can apply it in practice?
======
Ayesh
I've been working on security research for about 5 years, and all these years,
the only pattern I see is the wrong assumptions.

Don't trust the user input, don't trust the API endpoints you connect to,
don't trust HTTP headers, don't trust the browser to protect your cookies,
don't trust the browser to appkysame-orogon restrictions, etc.

OWASP top 10 is a great start. I have done quite a few talks about OWASP top
10 in a PHP context, but I suppose they wouldn't be useful in Node/Java
context. But there's plenty of things to watch out for in general (such as
CSRF and XSS), and language-specific stuff (such as Java's nasty XXE).

Because you mentioned JWT: It's often a quite low effort country when an app
uses JWT. JWT allows various authentication mechanisms that are either null,
or insecure. Of you use JWT, make sure to restrict to the secure flags and
reject all other tokens.

