Every backend engineer is responsible for the security of the data they handle.
OWASP Top 10 — know these by heart:
1. Broken Access Control — check authorisation on every route
2. Cryptographic Failures — use bcrypt/argon2, HTTPS everywhere, encrypt PII at rest
3. Injection — parameterised queries, ORMs, input sanitisation
4. Insecure Design — threat modelling, principle of least privilege
5. Security Misconfiguration — disable debug in prod, default creds, open ports
6. Vulnerable Components — update dependencies, use Snyk/Dependabot
7. Auth Failures — strong passwords, MFA, secure session management
8. SSRF — validate outbound request URLs
9. Logging Failures — log security events, never log PII
10. Security Testing — SAST, DAST, penetration testing
Other must-knows:
- CORS configuration (never *)
- CSRF tokens for browser sessions
- Helmet.js / security headers
- SQL injection prevention
- XSS prevention (escape output)
- Secrets management (never hardcode)
1. Broken Access Control — check authorisation on every route
2. Cryptographic Failures — use bcrypt/argon2, HTTPS everywhere, encrypt PII at rest
3. Injection — parameterised queries, ORMs, input sanitisation
4. Insecure Design — threat modelling, principle of least privilege
5. Security Misconfiguration — disable debug in prod, default creds, open ports
6. Vulnerable Components — update dependencies, use Snyk/Dependabot
7. Auth Failures — strong passwords, MFA, secure session management
8. SSRF — validate outbound request URLs
9. Logging Failures — log security events, never log PII
10. Security Testing — SAST, DAST, penetration testing
Other must-knows:
- CORS configuration (never *)
- CSRF tokens for browser sessions
- Helmet.js / security headers
- SQL injection prevention
- XSS prevention (escape output)
- Secrets management (never hardcode)