Web security foundations — JWT · OAuth · OWASP
Practical security in six steps — auth, validation, headers, CORS.
- Difficulty
- intermediate
- Lessons
- 6
- Total time
- 145 min
Web security foundations — JWT · OAuth · OWASP
Most of OWASP Top 10 is handled by popular frameworks by default, but boundary and trust decisions still fall on the developer. A handful of concrete patterns shrink the attack surface a lot.
Who it's for
- Developers without a clear sense of "how far is enough" on security
- Teams that adopted JWT · OAuth but are nervous about mistakes
- Anyone wanting to set CORS, headers, and rate limits properly
What you can do afterwards
- Design JWT rotation · refresh tokens · blacklist
- Handle OAuth state · PKCE · CSRF
- Validate input with zod + length caps
- Apply Redis-based rate limiting (sliding window)
- Configure security headers · CSP · CORS
- Harden anonymous forms with honey-pot · IP hashing
Steps
- Threat model · OWASP at a glance — Top 10 · real incident distribution
- JWT · refresh · rotation — HS256 vs RS256 · expiry · blacklist
- OAuth + state · PKCE — Kakao · Naver · CSRF
- Input validation + length caps — zod · Valibot · payload flood defence
- Rate limit + CORS + security headers — Redis sliding window · CSP ·
sameSite - Anonymous form hardening — honey-pot · IP hash · status flow
Prerequisites — complete either backend-with-spring or nextjs-fullstack.