Security is Everyone's Responsibility
Security vulnerabilities often originate in code. Understanding common attack patterns and defensive coding practices prevents breaches.
Input Validation
Never Trust User Input
// BAD - Using user input directly
const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
// GOOD - Parameterized query
const query = 'SELECT * FROM users WHERE id = $1';
const result = await db.query(query, [req.params.id]);
// GOOD - Schema validation with Zod
import { z } from 'zod';
const UserIdSchema = z.object({
id: z.string().uuid()
});
function getUser(req, res) {
const result = UserIdSchema.safeParse(req.params);
if (!result.success) {
return res.status(400).json({ error: 'Invalid user ID' });
}
// Now safe to use result.data.id
}Whitelist vs Blacklist
// BAD - Blacklist approach (trying to block bad input)
function sanitize(input) {
return input.replace(/