Threat model · OWASP at a glance

There is no "from where to where is security enough", but knowing the actual distribution of attacks sets priority.

1. OWASP Top 10 (2021)

1. Broken Access Control
2. Cryptographic Failures
3. Injection (SQL · NoSQL · command)
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging and Monitoring Failures
10. Server-Side Request Forgery

2. Most incidents fall in the Top 3

• Access control mistakes — "change the URL, see someone else's data"
• Auth failures — weak passwords, session hijack, no MFA
• Injection — WHERE id = ${id} string interpolation

The other seven are less frequent or handled by frameworks.

3. STRIDE

Six categories — Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. Walk through each page/API against STRIDE to find gaps.

4. "Never trust the client"

Always re-check permissions after auth, per user.

// ❌
const userId = req.body.userId;
await db.query("DELETE FROM posts WHERE user_id = $1", [userId]);
// ✅
const sessionUser = await verifySession(req);
await db.query("DELETE FROM posts WHERE user_id = $1", [sessionUser.id]);

5. Least privilege

• App DB user has only needed tables
• Cron scripts have their own DB user
• Minimise prod IAM

Uncomfortable for developers, huge reduction in blast radius.

6. Defense in depth

One layer fails, the next catches.

[Caddy / CDN] → [rate limit] → [WAF] → [auth] → [authorization] → [input validation]
                                                                         ↓
                                                                   [DB constraints]

SQL injection defended three times (parameterization + input validation + DB constraints).

7. Security ≠ obscurity

Security through obscurity doesn't last. Design so that public knowledge of the API is safe.

8. Week-one checklist

• Session checks on every mutation
• 100% parameterized SQL
• bcrypt/argon2 only (never plaintext/MD5/SHA1)
• HTTPS enforced
• Monthly pnpm audit / npm audit

Cuts 90% of the attack surface.

Closing

Security isn't a one-off project. Keep Top 10, common patterns, and defense-in-depth in mind and the instinct grows.

Next

• 02-jwt-refresh