TLS handshakes, symmetric vs asymmetric encryption, certificate pinning, key management, and the crypto mistakes that compromise production systems.
TLS handshakes, symmetric vs asymmetric encryption, certificate pinning, key management, and the crypto mistakes that compromise production systems.
npm install express-rate-limit
const rateLimit = require('express-rate-limit');
// General API rate limit
const apiLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // 100 requests per window
standardHeaders: true,
legacyHeaders: false,
message: { error: 'Too many requests, please try again later' }
});
// Strict limit for auth endpoints
const authLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 5, // 5 attempts per 15 minutes
skipSuccessfulRequests: true, // Don't count successful logins
handler: (req, res) => {
res.status(429).json({
error: 'Too many login attempts. Try again in 15 minutes.'
});
}
});
app.use('/api/', apiLimiter);
app.use('/login', authLimiter);
app.use('/register', authLimiter);const bcrypt = require('bcrypt');
const SALT_ROUNDS = 12; // Higher = slower to crack, slower to compute
// On registration: hash the password
async function register(email, plainPassword) {
const hash = await bcrypt.hash(plainPassword, SALT_ROUNDS);
await User.create({ email, passwordHash: hash });
}
// On login: compare password to hash
async function login(email, plainPassword) {
const user = await User.findByEmail(email);
if (!user) {
// Still compare to prevent timing attacks
await bcrypt.compare(plainPassword, '$2b$12$invalid.hash.padding');
return null;
}
const valid = await bcrypt.compare(plainPassword, user.passwordHash);
return valid ? user : null;
}
// Password strength validation
function isStrongPassword(password) {
return (
password.length >= 12 &&
/[A-Z]/.test(password) &&
/[0-9]/.test(password) &&
/[^A-Za-z0-9]/.test(password)
);
}The foundations from today carry directly into Day 5. In the next session the focus shifts to Security Headers, CORS, and CSP — building directly on everything covered here.
Before moving on, verify you can answer these without looking:
Live Bootcamp
Learn this in person — 2 days, 5 cities
Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.
Reserve Your Seat →