November Retro, Security Hardening Sprint

background-shape
November Retro, Security Hardening Sprint
November 30, 2022 · 3 min read · by Muhammad Amal programming

TL;DR — Spent the month auditing API security across three projects I touch. Found expected things: long-lived JWTs everywhere, missing CSRF on cookie-auth, rate limits only on login. Shipped fixes. Most-rewarding post by reader feedback: the “JWT for sessions is usually wrong” piece.

End of November. Closing the security theme.

What I audited

Three projects I’m involved in:

  1. The factory observability platform (from August-September)
  2. Our internal admin SaaS (from June Laravel work)
  3. A consulting client’s REST API (anonymized)

Spent ~2 days per project. Found:

Project 1: JWTs with 24-hour lifetime; no refresh token rotation; rate limit only on /api/login. Fixed: 15-min access tokens, refresh rotation with reuse detection, rate limits on all auth endpoints + per-user API call limits.

Project 2: Cookie auth (good), no CSRF token on state-changing endpoints (bad), no SameSite attribute on cookies (worse), audit logs only on user-creation/deletion. Fixed: SameSite=Lax, CSRF tokens via Laravel’s built-in, audit logging on all admin actions.

Project 3: API key auth, no scopes (one key = full access), keys stored plaintext in the DB. Recommendation report sent; implementation by client team is their call.

What changed in my own thinking

JWT-for-sessions is more common than I’d realized. Three years of “JWT everywhere” tutorials have created a cohort of engineers who never reach for sessions. Pre-2020 the warning was “don’t roll your own session”; in 2022 it should also be “don’t roll your own JWT.”

OAuth 2.1 is just OAuth done right. The 10-year accumulation of “don’t do X” has finally become “X is no longer in the spec.” Cleaner.

Rate limiting is more about availability than security. Originally I thought rate limit = defense against credential stuffing. Real lesson: rate limit = defense against accidents (badly-written client retrying 1000x/sec). Security is a bonus.

Audit logs come late. Almost nobody has them on day 1. The need surfaces during the first incident; the build happens during the second. Better to add upfront.

What worked

Pattern recap as a writing technique. Many November posts ended with “here’s what to actually do” — checklists. Reader feedback was unusually high. People want recipes.

Showing failure modes inline. “If you skip this, the failure looks like X.” More memorable than abstract advice.

Comparison posts (JWT vs sessions, API keys vs OAuth, OAuth 2.0 vs 2.1). Took longer to write but apparently land better. Will continue.

What didn’t

The “input validation” post got too long. Tried to cover SQL injection, XSS, SSRF, command injection in one piece. Should have been three posts. Will revisit per topic later.

Skipped passkeys / WebAuthn. Adoption is rising but the tooling isn’t quite ready for backend engineers to ship without significant frontend work. Will revisit in 2023 when more libraries mature.

Skipped formal compliance discussions. SOC 2 / PCI-DSS / HIPAA all touch the same patterns from different angles. Each deserves its own post; “security theme” was too broad to include.

What’s left undone

Three security topics I still want to cover but didn’t fit November:

  • Supply chain attacks (CVE scanning, SBOM, signed images, npm/PyPI hygiene)
  • Secrets management (Vault, AWS Secrets Manager, KMS patterns)
  • Threat modeling for new features (STRIDE, attacker mental models)

Maybe Q1 2023.

Reader engagement

Highest-traffic posts this month:

  1. JWT for sessions is usually wrong — popular contrarian piece
  2. CORS: what it actually protects — misconception-correcting
  3. Refresh tokens and revocation — actionable

Tells me readers value content that corrects widespread mistakes.

What December looks like

December theme: Year-End Reflection & Productivity: How GitHub Copilot and early AI tools are changing developer workflows. Last month of the year. Reflective; AI-augmented dev specifically since I rebranded to AI-Native Engineer earlier in the year.

Going to also do a year-in-review post at the end (“what shipped in 2022, what bombed, what I’d do differently”). Last 2-3 posts of December lean toward retrospective vs how-to.

See you Friday.

Related posts

Audit Logging for Backend APIs
Nov 28, 2022 · 5 min programming

Audit Logging for Backend APIs
Input Validation and the OWASP Top 10
Nov 25, 2022 · 5 min programming

Input Validation and the OWASP Top 10
CSRF Defense Patterns in 2022
Nov 23, 2022 · 4 min programming

CSRF Defense Patterns in 2022
CORS, What It Actually Protects
Nov 21, 2022 · 4 min programming

CORS, What It Actually Protects
API Keys vs OAuth for Third-Party Access
Nov 18, 2022 · 4 min programming

API Keys vs OAuth for Third-Party Access
Distributed Rate Limiting with Redis
Nov 16, 2022 · 4 min programming

Distributed Rate Limiting with Redis
Rate Limiting Algorithms, Token Bucket, Leaky Bucket, Sliding Window
Nov 14, 2022 · 5 min programming

Rate Limiting Algorithms, Token Bucket, Leaky Bucket, Sliding Window
OAuth 2.1 vs OAuth 2.0, What Changed
Nov 11, 2022 · 3 min programming

OAuth 2.1 vs OAuth 2.0, What Changed