Skip to content

Latest commit

 

History

History
128 lines (103 loc) · 5.32 KB

full-stack-security-guide.md

File metadata and controls

128 lines (103 loc) · 5.32 KB

Full Stack Security Guide for Beginner Programmers

Introduction for Vibe Coders

Many beginner programmers have recently reported security issues with their applications. This guide will help you understand how to properly document and secure your full stack applications.

Document Your Full Stack Architecture

Create a text document called "full_stack.txt" with the following information:

  1. List each layer of your stack separately (one line per layer)

  2. For each layer, document:

    • What technologies you're using
    • Security measures implemented
    • Rate limiting configuration
    • Infrastructure details
    • Expected number of simultaneous users

  3. For the entire application, document:

    • Peak requests per minute/hour/day
    • Average user session length

Review Your Documentation

After completing your documentation:

  • Share it with AI assistants like Claude 3.7 Sonnet and ask for feedback
  • Ask them to explain why they recommend any changes
  • Request pros and cons for each recommendation
  • Remember that you make the final decisions

Security Approach

Remember these key principles:

  • Security is important but not the only consideration
  • Treat each layer of your stack as an independent component
  • Adding security to one layer doesn't automatically secure others
  • Optimize performance (e.g., dropping unwanted packets can reduce CPU load)
  • Understanding your entire architecture helps limit attack vectors

Essential Security Practices

1. Credential Management

  • Environment Variables: Never hardcode API keys, passwords, or sensitive configuration
    • Use .env files for local development (add to .gitignore)
    • Use secure environment variable management in production
    • Consider using a secrets manager service for production environments

2. Database Security

  • Rate Limiting: Implement at the database level
    • Set connection pool limits
    • Add query timeouts and transaction limits
    • Monitor and alert on unusual query patterns
  • Row Level Security (RLS): Enforce access policies at the database level
    • Test your RLS policies thoroughly (tools like ClampDB can help)
  • Use UUIDs instead of incremental IDs to prevent enumeration attacks

3. API Security

  • Rate Limiting: Implement across all API endpoints
    • Track requests by IP, user ID, and API key
    • Set appropriate limits based on endpoint sensitivity
    • Add graceful degradation for approaching limits
  • Input Validation: Validate all user inputs at every layer
    • Use strong typing and schemas where possible
    • Sanitize inputs before processing or storing
    • Implement CSRF tokens for all POST/PUT/DELETE requests

4. Version Control Security

  • .gitignore: Properly configure to exclude:
    • Environment files (.env, .env.local, etc.)
    • Log files and debugging information
    • Dependency directories (node_modules, vendor, etc.)
    • Credential files, certificates, and keys
  • .dockerignore: Configure to exclude:
    • Development-only files
    • Test files and fixtures
    • Documentation and non-essential assets
    • Local configuration

5. Infrastructure Security

  • Cloudflare DNS proxy and site cache
  • Web Application Firewalls (WAFs)
  • Tunnels and reverse proxies
  • Local firewalls (UFW, IPTABLES)
  • mTLS authentication
  • Certificate Authority (CA)
  • CI/CD security practices with security scanning in the pipeline

6. Code-Level Security

  • OWASP Top 10: Familiarize yourself with common vulnerabilities
    • SQL Injection prevention
    • Cross-site scripting (XSS) protection
    • Insecure deserialization mitigation
    • Broken authentication prevention
  • Regular Scanning: Use tools like:
    • Static Application Security Testing (SAST)
    • Dynamic Application Security Testing (DAST)
    • Software Composition Analysis (SCA) for dependencies
    • Specialized scanners like Corgea

7. User Authentication & Sessions

  • Secure Password Storage: Use proper hashing algorithms (bcrypt, Argon2)
  • Multi-Factor Authentication: Implement where possible
  • Session Management: Use secure, httpOnly, SameSite cookies
  • Account Lockout Policies: Prevent brute force attacks

8. Monitoring & Response

  • Logging: Implement comprehensive logging across all stack layers
  • Alerting: Set up alerts for security-related events
  • Bug Bounty Program: Consider implementing once you gain traction
    • Offer appropriate rewards based on vulnerability severity
    • Clear scope and rules to encourage responsible disclosure

Testing Your Security

Regularly test your application using:

  1. Security scanning tools
  2. Manual penetration testing
  3. Security-focused code reviews
  4. Dependency vulnerability scanning
  5. Regular security updates for all components

Remember that security is an ongoing process, not a one-time implementation. Stay informed about new vulnerabilities and continuously improve your security practices.

By following this structured approach, you'll create more secure applications and be better prepared to handle potential security threats.

Document Versions

The latest version of this guide will always be available on our GitHub repository. Original versions of all VibeCoding guides are also posted to X.com as they are released. Check both platforms to ensure you're seeing the most up-to-date information and to track how these guides evolve over time.