{
    "version": "https:\/\/jsonfeed.org\/version\/1.1",
    "title": "Blog — George Mishurovsky: posts tagged web",
    "_rss_description": "A blog by George Mishurovsky — a senior software engineer with a medical degree. Drawing from both engineering and scientific thinking, he explores software, architecture, design, psychology, and product thinking.",
    "_rss_language": "en",
    "_itunes_email": "george@mishurovsky.com",
    "_itunes_categories_xml": "",
    "_itunes_image": "https:\/\/mishurovsky.com\/blog\/pictures\/userpic\/userpic-square@2x.jpg?1753619610",
    "_itunes_explicit": "no",
    "home_page_url": "https:\/\/mishurovsky.com\/blog\/?go=tags\/web\/",
    "feed_url": "https:\/\/mishurovsky.com\/blog\/?go=tags%2Fweb%2Fjson%2F",
    "icon": "https:\/\/mishurovsky.com\/blog\/pictures\/userpic\/userpic@2x.jpg?1753619610",
    "authors": [
        {
            "name": "George Mishurovsky",
            "url": "https:\/\/mishurovsky.com\/blog\/",
            "avatar": "https:\/\/mishurovsky.com\/blog\/pictures\/userpic\/userpic@2x.jpg?1753619610"
        }
    ],
    "items": [
        {
            "id": "12",
            "url": "https:\/\/mishurovsky.com\/blog\/?go=all\/security-topics-for-tech-leads-and-staff-engineers\/",
            "title": "A Security Checklist for Senior Engineers and Tech Leads",
            "content_html": "<p>Couple of years ago, I told an interviewer I didn’t want to work on security problems because I found them boring. My mind has changed since then.<\/p>\n<p>Security requirements are genuine engineering constraints. They drive development of sophisticated solutions, and it <i>is<\/i> interesting to work with them. The hard part, though, is knowing an exact list of critical security issues and approaches to them.<\/p>\n<p>That’s why I asked ChatGPT for such list – on a level a solid principal engineer should know. The response was quite reasonable, so I spent some time refining the list, and here is the result! I keep it as a reference for myself, and I hope you’ll find it useful, too.<\/p>\n<h2>Core Web App Security<\/h2>\n<ul>\n<li><b>API Security<\/b>: REST\/GraphQL hardening, input validation, over\/under-fetching prevention, API keys, HMAC, request signing, certificate pinning, replay prevention.<\/li>\n<li><b>Authentication & Identity<\/b>: password storage (bcrypt\/argon2), MFA, OAuth2\/OIDC, SAML, JWT best practices.<\/li>\n<li><b>Authorization<\/b>: RBAC, ABAC, least privilege, privilege escalation prevention.<\/li>\n<li><b>CSRF Protection<\/b>: tokens, SameSite cookies, double-submit cookie pattern.<\/li>\n<li><b>Data Protection<\/b>: encryption at rest (AES-256+), in transit (TLS 1.2+), key management.<\/li>\n<li><b>Error Handling & Logging<\/b>: no sensitive data leaks, structured logging, correlation IDs.<\/li>\n<li><b>File Uploads<\/b>: validation, MIME checks, virus scanning, sandboxing.<\/li>\n<li><b>Injection Attacks<\/b>: SQLi, NoSQLi, LDAP, OS command injection, template injection.<\/li>\n<li><b>Input Validation<\/b>: sanitization, strict schema validation, whitelisting.<\/li>\n<li><b>Output Encoding<\/b>: escaping for HTML, JS, CSS, URLs to prevent XSS.<\/li>\n<li><b>Rate Limiting & DoS Protection<\/b>: throttling, circuit breakers, caching.<\/li>\n<li><b>Secrets Management<\/b>: key rotation policies, vaults (e. g., HashiCorp Vault, AWS Secrets Manager).<\/li>\n<li><b>Session Management<\/b>: secure cookies, SameSite, HttpOnly, session fixation, token expiry\/rotation.<\/li>\n<\/ul>\n<h2>Browser & Front-End Security<\/h2>\n<ul>\n<li><b>Clickjacking Protection<\/b>: X-Frame-Options, frame-ancestors.<\/li>\n<li><b>CSP (Content Security Policy)<\/b>: nonces, strict-dynamic, avoiding unsafe-inline.<\/li>\n<li><b>HTTP caching headers<\/b>: Cache-Control, Vary, Pragma for sensitive data.<\/li>\n<li><b>Subresource Integrity (SRI)<\/b> for 3rd-party scripts.<\/li>\n<li><b>Trusted Types<\/b> to mitigate DOM-based XSS.<\/li>\n<li><b>Web Storage Security<\/b>: storing sensitive data outside of localStorage or sessionStorage.<\/li>\n<\/ul>\n<h2>Infrastructure & Deployment<\/h2>\n<ul>\n<li><b>CI\/CD Security<\/b>: supply chain attacks, dependency scanning (SCA), signed builds.<\/li>\n<li><b>Container Security<\/b>: minimal images, runtime restrictions, scanning (Trivy, Clair).<\/li>\n<li><b>DNS Security<\/b>: DNSSEC, avoiding cache poisoning.<\/li>\n<li><b>HTTPS Everywhere<\/b>: HSTS, secure TLS configs, certificate rotation.<\/li>\n<li><b>IaC Security<\/b>: secure Terraform and CloudFormation, policy-as-code (OPA).<\/li>\n<li><b>Reverse Proxies & WAFs<\/b>: e. g., Cloudflare, AWS WAF.<\/li>\n<li><b>Secret and Key Management<\/b>: choosing correct algorithms (AES-GCM, RSA vs ECC, SHA-2\/3), key rotation policies, HSMs\/KMS use.<\/li>\n<li><b>Secrets in CI\/CD<\/b>: no hardcoded creds, encrypted variables.<\/li>\n<\/ul>\n<h2>Operational & Organizational<\/h2>\n<ul>\n<li><b>Compliance & Privacy<\/b>: GDPR, HIPAA, SOC2, PCI-DSS basics.<\/li>\n<li><b>Dependency Management<\/b>: SCA, patching, SBOMs.<\/li>\n<li><b>External Attack Surface Discovery<\/b>: domains, APIs, old endpoints.<\/li>\n<li><b>Insider Threats<\/b>: principle of least privilege, auditing.<\/li>\n<li><b>Monitoring & Incident Response<\/b>: SIEM, anomaly detection, alerting.<\/li>\n<li><b>Secure SDLC<\/b>: threat modeling, STRIDE, abuse cases, security reviews.<\/li>\n<li><b>Security Testing<\/b>: static analysis (SAST), dynamic analysis (DAST), penetration testing.<\/li>\n<li><b>Zero Trust Principles<\/b>: network segmentation, identity-aware access.<\/li>\n<\/ul>\n<h2>Advanced \/ Modern Web Concerns<\/h2>\n<ul>\n<li><b>AI\/ML API Security<\/b>: prompt injection, model data leaks.<\/li>\n<li><b>GraphQL-specific Risks<\/b>: introspection, batching attacks.<\/li>\n<li><b>Multi-Tenancy & Data Isolation<\/b>: proper tenant isolation in SaaS apps, preventing IDORs (Insecure Direct Object Reference)<\/li>\n<li><b>Serverless Security<\/b>: least privilege IAM, cold-start secrets, event injection.<\/li>\n<li><b>SSRF & Cloud Metadata Protection<\/b>.<\/li>\n<li><b>Supply Chain Security<\/b>: typosquatting, malicious packages.<\/li>\n<li><b>WebSockets Security<\/b>: auth, rate limiting, input validation.<\/li>\n<\/ul>\n",
            "date_published": "2025-09-02T13:16:47+02:00",
            "date_modified": "2025-09-26T13:02:40+02:00",
            "tags": [
                "security",
                "web"
            ],
            "_date_published_rfc2822": "Tue, 02 Sep 2025 13:16:47 +0200",
            "_rss_guid_is_permalink": "false",
            "_rss_guid": "12",
            "_rss_enclosures": [],
            "_e2_data": {
                "is_favourite": false,
                "links_required": [],
                "og_images": []
            }
        }
    ],
    "_e2_version": 4134,
    "_e2_ua_string": "Aegea 11.3 (v4134e)"
}