Github url


by FallibleInc

Security Guide for Developers (实用性开发人员安全须知)

19.1K Stars 1.4K Forks Last release: Not found 146 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

A practical security guide for web developers (Work in progress)

The intended audience

Security issues happen for two reasons -

  1. Developers who have just started and cannot really tell a difference between using MD5 or bcrypt.
  2. Developers who know stuff but forget/ignore them.

Our detailed explanations should help the first type while we hope our checklist helps the second one create more secure systems. This is by no means a comprehensive guide, it just covers stuff based on the most common issues we have discovered in the past.


  1. The Security Checklist
  2. What can go wrong?
  3. Securely transporting stuff: HTTPS explained
  4. Authentication: I am who I say I am
  5. 1 Form based authentication
  6. 2 Basic authentication
  7. 3 One is not enough, 2 factor, 3 factor, ....
  8. 4 Why use insecure text messages? Introducing HOTP & TOTP
  9. 5 Handling password resets
  10. Authorization: What am I allowed to do?
  11. 1 Token based Authorization
  12. 2 OAuth & OAuth2
  13. 3 JWT
  14. Data Validation and Sanitation: Never trust user input
  15. 1 Validating and Sanitizing Inputs
  16. 2 Sanitizing Outputs
  17. 3 Cross Site Scripting
  18. 4 Injection Attacks
  19. 5 User uploads
  20. 6 Tamper-proof user inputs
  21. Plaintext != Encoding != Encryption != Hashing
  22. 1 Common encoding schemes
  23. 2 Encryption
  24. 3 Hashing & One way functions
  25. 4 Hashing speeds cheatsheet
  26. Passwords: dadada, 123456 and [email protected]
  27. 1 Password policies
  28. 2 Storing passwords
  29. 3 Life without passwords
  30. Public Key Cryptography
  31. Sessions: Remember me, please
  32. 1 Where to save state?
  33. 2 Invalidating sessions
  34. 3 Cookie monster & you
  35. Fixing security, one header at a time
  36. 1 Secure web headers
  37. 2 Data integrity check for 3rd party code
  38. 3 Certificate Pinning
  39. Configuration mistakes
  40. 1 Provisioning in cloud: Ports, Shodan & AWS
  41. 2 Honey, you left the debug mode on
  42. 3 Logging (or not logging)
  43. 4 Monitoring
  44. 5 Principle of least privilege
  45. 6 Rate limiting & Captchas
  46. 7 Storing project secrets and passwords in a file
  47. 8 DNS: Of subdomains and forgotten pet-projects
  48. 9 Patching & Updates
  49. Attacks: When the bad guys arrive
  50. 1 Clickjacking
  51. 2 Cross Site Request Forgery
  52. 3 Denial of Service
  53. 4 Server Side Request Forgery
  54. Stats about vulnerabilities discovered in Internet Companies
  55. On reinventing the wheel, and making it square
  56. 1 Security libraries and packages for Python
  57. 2 Security libraries and packages for Node/JS
  58. 3 Learning resources
  59. Maintaining a good security hygiene
  60. Security Vs Usability
  61. Back to Square 1: The Security Checklist explained

Who are we?

We are full stack developers who just grew tired of watching how developers were lowering the barrier to call something a hack by writing unsecure code. In the past six months, we have prevented leaks of more than 15 million credit card details, personal details of over 45 million users and potentially saved companies from shutting down. Recently, we discovered an issue that could result in system takeover and data leak in a bitcoin institution. We have helped several startups secure their systems, most of them for free, sometimes without even getting a thank you in response :)

If you disagree with something or find a bug please open an issue or file a PR. Alternatively, you can talk to us on [email protected]

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.