HSTS, CSP, CORS policies, SameSite cookies, and the layered defense configuration that stops entire classes of attacks before they reach your application code.
~1 hourIntermediateHands-onPrecision AI Academy
Today's Objective
HSTS, CSP, CORS policies, SameSite cookies, and the layered defense configuration that stops entire classes of attacks before they reach your application code.
01
Never Hardcode Secrets
API keys, database passwords, and JWT secrets hardcoded in source code get exposed in git history, logs, error messages, and accidental deployments. Environment variables are the minimum — secret managers are the standard for production.
.env — Local Development
# .env (local only — in .gitignore!)
DATABASE_URL=postgresql://localhost:5432/myapp
JWT_SECRET=super-long-random-string-at-least-32-chars
ANTHROPIC_API_KEY=sk-ant-...
GOOGLE_CLIENT_SECRET=GOCSPX-...
# Use Claude to audit your security posture:
Prompt: "Review this Express application code for security
vulnerabilities. Check for:
- Hardcoded secrets or API keys
- SQL injection vulnerabilities
- Missing authentication on sensitive routes
- Insecure cookie configuration
- Missing rate limiting
- XSS vulnerabilities in response rendering
- Overly permissive CORS settings
[PASTE YOUR CODE]"
02
Production Security Checklist
[ ] All secrets in environment variables, not code
[ ] HTTPS enforced (redirect HTTP to HTTPS)
[ ] Security headers via helmet (CSP, HSTS, X-Frame-Options)
[ ] Rate limiting on all public endpoints
[ ] Passwords hashed with bcrypt (cost factor 12+)
[ ] JWT secrets are long (32+ chars) and rotated periodically
[ ] Cookies: httpOnly, secure, sameSite=strict
[ ] SQL queries parameterized (no string concatenation)
[ ] User input sanitized before rendering as HTML
[ ] Error messages don't expose stack traces in production
[ ] Dependencies audited: npm audit
Day 5 Exercise
Security Audit Your App
Run npm audit on your project. Fix any high-severity vulnerabilities.
Paste your main server file into Claude with the security audit prompt above.
Work through the production checklist — check off each item or add it to your code.
Run your app in production mode (NODE_ENV=production) and confirm error details are not exposed.
Course Complete — Secure Web Authentication
JWT authentication: stateless, scalable, with proper secret management and expiry.
OAuth 2.0: delegated login via Google/GitHub without managing passwords.
CSRF and XSS defenses: SameSite cookies, sanitized input, and Content Security Policy.
Rate limiting, bcrypt password hashing, and the production security checklist.
Want to go deeper in 2 days?
Our in-person AI bootcamp covers advanced AI development, agentic systems, and production deployment. Five cities. $1,490.
Completing all five days means having a solid working knowledge of Web Security in 5 Days. The skills here translate directly to real projects. The next step is practice — pick a project and build something with what was learned.