Skip to content
My Docs

Security in Development

🔹 1. Security in Node.js / Backend APIs

Section titled “🔹 1. Security in Node.js / Backend APIs”
  • Authentication & Authorization :
    • Use JWT or OAuth2 for stateless APIs.
    • Use RBAC (Role Based Access Control) or ABAC for fine-grained access.
  • Input Validation & Sanitization :
    • Validate request body with libraries like Joi or Zod.
    • Prevent SQL Injection by using parameterized queries/ORM.
    • Prevent NoSQL Injection (in MongoDB, always sanitize queries).
  • Common Attacks :
    • XSS Prevention : Sanitize user input and use libraries like helmet.
    • CSRF Protection : Use anti-CSRF tokens or SameSite cookies.
    • Rate Limiting : Throttle API requests with express-rate-limit or API-Gateway.
    • Brute force prevention : lock accounts or add CAPTCHA after multiple failed logins.
  • Secrets Management :
    • Never hardcode API keys/secrets -> Store in AWS SSM Parameter Store / Secrets Manager.
    • Use env variables, not config files.
  • Transport Security
    • Enforce HTTPS everywhere (TLS termination at load balancer).

🔹 2. Security in React / Frontend

Section titled “🔹 2. Security in React / Frontend”
  • Don’t store sensitive tokens in localStorage (vulnerable to XSS). Prefere httpOnly cookies.
  • Escape data before rendering -> prevents DOM XSS
  • Use CSP (Content Security Policy) headers to control what scripts/styles load.
  • Protect routes on frontend + backend (never rely only on client-side auth checks).
  • Implement logout on idle or session expiry.

🔹 3. Security in AWS / Infrastructure

Section titled “🔹 3. Security in AWS / Infrastructure”
  • IAM & Access Control : Follow least privilege principle → only give required permissions.
  • Network Security : Enable WAF (Web application firewalls) with CloudFront for extra protection.
  • Data Protection : Enable encryption at rest (S3, RDS, DynamoDB, EBS support KMS) and encryption in transit (TLS).
  • Monitoring : Enable CloudTrail + CloudWatch to log all activity.

🔹 4. Answering in Interviews (Tip)

Section titled “🔹 4. Answering in Interviews (Tip)”

👉 “I think of security in 3 layers: application layer, client layer, infrastructure layer. At backend, I secure API’s with authentication, authorization, input validation, rate limiting and secret management. At frontend, I focus on preventing XSS/CSRF and safe token handling. At infra level (AWS), I apply lease privilege IAM, network restrictions, and enable encryption and monitoring. Together these form a defense in-depth strategy.”