[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-10206":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":10,"languages":10,"totalLinesOfCode":10,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":15,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":21,"hasPages":19,"topics":22,"createdAt":10,"pushedAt":10,"updatedAt":28,"readmeContent":29,"aiSummary":30,"trendingCount":15,"starSnapshotCount":15,"syncStatus":16,"lastSyncTime":31,"discoverSource":32},10206,"security-guide-for-developers","FallibleInc\u002Fsecurity-guide-for-developers","FallibleInc","Security Guide for Developers","https:\u002F\u002Fgit.io\u002Fsecurity",null,21086,1581,1059,18,0,2,8,68.4,false,"master",true,[23,24,25,26,27],"api","books","security","security-book","security-checklist","2026-06-12 04:00:49","# A practical security guide for web developers (Work in progress)\n\n### The intended audience\n\nSecurity issues happen for two reasons - \n\n1. Developers who have just started and cannot really tell a difference between using MD5 or bcrypt.\n2. Developers who know stuff but forget\u002Fignore them.\n\nOur detailed explanations should help the first type while we hope our checklist helps the second one create more secure systems. This is by no means a comprehensive guide, it just covers stuff based on the most common issues we have discovered in the past.\n\n\n### Contents\n\n1. [The Security Checklist](security-checklist.md)\n2. [What can go wrong?](what-can-go-wrong.md)    \n3. [Securely transporting stuff: HTTPS explained](https.md)\n4. Authentication: I am who I say I am  \n4.1 Form based authentication  \n4.2 Basic authentication  \n4.3 One is not enough, 2 factor, 3 factor, ....   \n4.4 Why use insecure text messages? Introducing HOTP & TOTP   \n4.5 Handling password resets\n5. Authorization: What am I allowed to do?  \n5.1 Token based Authorization  \n5.2 OAuth & OAuth2  \n5.3 JWT\n6. Data Validation and Sanitation: Never trust user input  \n6.1 Validating and Sanitizing Inputs  \n6.2 Sanitizing Outputs  \n6.3 Cross Site Scripting  \n6.4 Injection Attacks  \n6.5 User uploads  \n6.6 Tamper-proof user inputs\n7. Plaintext != Encoding != Encryption != Hashing  \n7.1 Common encoding schemes  \n7.2 Encryption  \n7.3 Hashing & One way functions  \n7.4 Hashing speeds cheatsheet\n8. Passwords: dadada, 123456 and cute@123  \n8.1 Password policies  \n8.2 Storing passwords  \n8.3 Life without passwords\n9. Public Key Cryptography\n10. Sessions: Remember me, please  \n10.1 Where to save state?  \n10.2 Invalidating sessions  \n10.3 Cookie monster & you\n11. Fixing security, one header at a time  \n11.1 Secure web headers  \n11.2 Data integrity check for 3rd party code  \n11.3 Certificate Pinning\n12. Configuration mistakes    \n12.1 Provisioning in cloud: Ports, Shodan & AWS  \n12.2 Honey, you left the debug mode on  \n12.3 Logging (or not logging)  \n12.4 Monitoring  \n12.5 Principle of least privilege  \n12.6 Rate limiting & Captchas  \n12.7 Storing project secrets and passwords in a file    \n12.8 DNS: Of subdomains and forgotten pet-projects  \n12.9 Patching & Updates  \n13. Attacks: When the bad guys arrive  \n13.1 Clickjacking  \n13.2 Cross Site Request Forgery  \n13.3 Denial of Service  \n13.4 Server Side Request Forgery\n14. [Stats about vulnerabilities discovered in Internet Companies](vulnerabilities-stats.md)   \n15. On reinventing the wheel, and making it square  \n15.1 Security libraries and packages for Python  \n15.2 Security libraries and packages for Node\u002FJS  \n15.3 Learning resources\n16. Maintaining a good security hygiene\n17. Security Vs Usability\n18. Back to Square 1: The Security Checklist explained\n\n\n\n\n### Who are we?\n\nWe are full stack developers who just grew tired of watching how developers were lowering the barrier to call something a hack by writing unsecure code. In the past six months, we have prevented leaks of more than 15 million credit card details, personal details of over 45 million users and potentially saved companies from shutting down. Recently, we discovered an issue that could result in system takeover and data leak in a bitcoin institution. We have helped several startups secure their systems, most of them for free, sometimes without even getting a thank you in response :)\n\n\n*If you disagree with something or find a bug please open an issue or file a PR. Alternatively, you can talk to us on hello@fallible.co*\n","FallibleInc\u002Fsecurity-guide-for-developers 是一份面向Web开发者的实用安全指南。该项目提供了一个详尽的安全检查清单，以及对常见安全问题如认证、授权、数据验证和加密等方面的深入解释。它旨在帮助初学者理解基本的安全概念，并为有经验的开发者提供一个快速参考，以避免常见的安全疏忽。适用于任何希望提高其应用安全性或正在寻找如何构建更安全系统指导的Web开发者。通过遵循这份指南，开发者可以更好地理解和实施安全实践，从而减少因不安全代码导致的安全漏洞。","2026-06-11 03:27:11","top_topic"]