Really did a great job with this video. It really provides all the necessary details needed for a web dev security. I remember going through hundreds of videos just to learn these points individually.
I really like this man for making such content for us beginners. Really helps to understand important concepts at a high level. Please bring more content like this one 👍
If you have an app a good idea is to add SSL Pinning to it really helps a ton if user/hacker wants to reverse engineer your API (network calls) and inspect the payload etc etc it will add a extra layer of strength which is hard to bypass and you can ensure your API usage is being done by the app only
golden content, loved that❤ You clearly have talent to present packed informations with understandable manner . It would be supper cool to have each step detailed with simple example to follow. You should’ve your own course, Id buy that
This my go to: either find a platform/app which provide similar services as you and try to abuse it or just think if it were me how would I bypass this or abuse then you will know a million ways to bypass your security and its time to work.
Please do another one, which goes into more detail on specific implementations (but still framework agnostic), such as oauth2 and using jwts vs session cookies
Could you make a video on connecting different backends to different frontends? Like svelte / go or react / nodejs. Coming from nextjs where everything is just set up for you i'm struggling to find info on how to progress into more "real" full stack development. Been learning a ton from you thanks a lot!!!
Thx man :X Could you advise any Sec cert that can be attached to the web, verifies that that SAAS safe enough ? so business customers will have less concern before using some kind of automated pentest Most of the time all they know to say is "using 3rd party SAAS is forbidden" and keep doing stuff manually like dumps and at the same time, some of them do use crked desktop app or even the OS. LOL
A common one I’ve seen is letting your API accept a user ID in the post request body and then they use that user ID and think that it’s the authenticated user ID instead of checking the actual session
@@WebDevCody Awesome, just checking it out r n btw would you extend your previous vid about next15, maybe walkthrough us on how to upgrade existing projects, and how the breaking changes might affect existing projects?
great explanation, i feel like i know how to implement all of these, i didn't know more about NextJS like an expert (but i trust my self to be able to implement all of these though because the word terms u said, it's kinda similar to word which is referenced in php framework i'm currently working on) About rate limiting, the cookie data saved on a file (it"s default btw) will it be a problem from a performance perspective? i see the most popular ones are memory based thing, redis or whatever it is...
I have been too lazy and haven't put post request rate limiting to my cloudflare tunnel. Does reactjs prevent script tags from executing? I think solidjs does "sanitize" automatically
Not of the frameworks don’t let you render html directly to the page unless using dangerous set html. You should still always sanitize the data that goes into your database because you may forget and try to display it in the browser if you end up making a new ui or open your api for others to integrate with it
Sure, but I’ve found in real systems some endpoints need more restrictions because they use more cpu or do big sql queries. Also, often you need to rate limited based on userId, so as long as your reverse proxy supports that, sure.
Yes usually the userId (called sub sometimes) is stored in the jwt. If the jwt is properly verified, you can trust the userId in it. No, you don’t store the userId in a cookie ever. You need to generate a sessionId which links to the userId. The reason is you can’t allow anyone to guess the userId because then they could potentially just hit your api with their own cookie. Remember a cookie is just a header and anyone can use curl to fake the userId
sent this video to marc lou
lmao
lol he's probably watching this rn
Y’all are naughty
@@preetjariwala9300 seething at the comments preparing his block button while searching out bros name on x
omg i scrolled to comments to say this and i got beat
I learned more from this than 5 security videos, please do more like this !!!!!
Really did a great job with this video. It really provides all the necessary details needed for a web dev security. I remember going through hundreds of videos just to learn these points individually.
I can sometimes be critical of your videos ( I watch them anyway ) but this one I can say is 100% spot on and amazingly presented.
Yep, theae are the kinds of videos that kept me on your channel. 👍
The diagram walk-through then a code session would be golden
I really like this man for making such content for us beginners. Really helps to understand important concepts at a high level. Please bring more content like this one 👍
Good job babe!!!!! Woot woot beginners crew check in here 🎉
Love how supportive you are!
Marc lou was first one on this. not you
@@kazmi401 underrated comment 4sure
@@kazmi401 huh?
golden content. Easy to do when using separate backend as nest.js
If you have an app a good idea is to add SSL Pinning to it really helps a ton if user/hacker wants to reverse engineer your API (network calls) and inspect the payload etc etc it will add a extra layer of strength which is hard to bypass and you can ensure your API usage is being done by the app only
crazy how i understood all of these stuff just by building one system.
very cool vid!
would be nice to see another video from you about rate limiting and how to implement it & best practices
i love backend and i will focus on it next coming months, thanks for the video man
Oh please do Role-Based Authorization.
golden content, loved that❤ You clearly have talent to present packed informations with understandable manner .
It would be supper cool to have each step detailed with simple example to follow.
You should’ve your own course, Id buy that
🎵 Soft kitty, script kiddie, little ball of fur 🎵
Good stuff!! Checking in from Sweden! 🇸🇪
ty for starting the video without 10 minute roundabouts
This my go to: either find a platform/app which provide similar services as you and try to abuse it or just think if it were me how would I bypass this or abuse then you will know a million ways to bypass your security and its time to work.
Awesome high-level overview. Well thought out.
Cody for President. Nice one cody more such videos please.
This is the kind of content that make me follow you.
Love these types of videos!!! Please do more videos like THIS!!!!!!!!!!👍
Please do another one, which goes into more detail on specific implementations (but still framework agnostic), such as oauth2 and using jwts vs session cookies
Thank you for this :>>
next video: comprehensive dos and don'ts for avoiding DDoS attacks
Great video needed this! Thanks
Thank you! Incredible valueable knowledge.
Hey from Germany ❤ perhaps you could go more into detail about when to use the different API types: trpc, Server action, RSC? WOULD BE NICE 🎉
Could you make a video on connecting different backends to different frontends? Like svelte / go or react / nodejs. Coming from nextjs where everything is just set up for you i'm struggling to find info on how to progress into more "real" full stack development. Been learning a ton from you thanks a lot!!!
you are legendary👑 keep up
I love this❤, thanks a lot
Great video, thanks man.
What keyboard are you using? Sounds cool)
Great video!!
Thx man :X
Could you advise any Sec cert that can be attached to the web, verifies that that SAAS safe enough ? so business customers will have less concern before using
some kind of automated pentest
Most of the time all they know to say is "using 3rd party SAAS is forbidden" and keep doing stuff manually like dumps and at the same time, some of them do use crked desktop app or even the OS. LOL
Web dev Cody cool topic
Great explanation
keep cooking ser !
where can one find these eraser workspaces or even the images are fine.
Need more on auth stuff ❤
Great vid.
easy to follow and useful video, thank you. Your keyboard sounds nice. can you tell me its name?
great video
“Never trust the users input”.
First law of software developers imo.
Great content
Do you have some examples of bad security practices out in the wild? Asking for a friend
A common one I’ve seen is letting your API accept a user ID in the post request body and then they use that user ID and think that it’s the authenticated user ID instead of checking the actual session
@@WebDevCody Is it better then to send user ID in the JWT? Or maybe in the httpOnly secure cookie?
Could you make a dedicated video about RateLimiting using NextJS server actions or NextJS APIs
I think I have one maybe
@@WebDevCody Awesome, just checking it out r n
btw would you extend your previous vid about next15, maybe walkthrough us on how to upgrade existing projects, and how the breaking changes might affect existing projects?
@@mohammed.haydar that'll be a new video in every major version then
It was a great video. Can you make some actionable code video around it? Code teaches better ❤. Happy Coding
great explanation, i feel like i know how to implement all of these, i didn't know more about NextJS like an expert (but i trust my self to be able to implement all of these though because the word terms u said, it's kinda similar to word which is referenced in php framework i'm currently working on)
About rate limiting, the cookie data saved on a file (it"s default btw) will it be a problem from a performance perspective? i see the most popular ones are memory based thing, redis or whatever it is...
Cookies are storied in the browser. I’m not sure what you mean by file
@@WebDevCody the file that saved on server, with a bunch of cookies data from visitor/client
I have been too lazy and haven't put post request rate limiting to my cloudflare tunnel. Does reactjs prevent script tags from executing? I think solidjs does "sanitize" automatically
Not of the frameworks don’t let you render html directly to the page unless using dangerous set html. You should still always sanitize the data that goes into your database because you may forget and try to display it in the browser if you end up making a new ui or open your api for others to integrate with it
Can the rate limiting be set on the reverse proxy ???
Sure, but I’ve found in real systems some endpoints need more restrictions because they use more cpu or do big sql queries. Also, often you need to rate limited based on userId, so as long as your reverse proxy supports that, sure.
Is it safe to store user ID in jwt? Or maybe in the httpOnly & secure cookie?
Yes usually the userId (called sub sometimes) is stored in the jwt. If the jwt is properly verified, you can trust the userId in it. No, you don’t store the userId in a cookie ever. You need to generate a sessionId which links to the userId. The reason is you can’t allow anyone to guess the userId because then they could potentially just hit your api with their own cookie. Remember a cookie is just a header and anyone can use curl to fake the userId
Sometimes we don't need authentication or authorization, we just want our domain to be able to hit our api endpoints.
thx bruh
Video game dev when?
get on it Cody, we want flappy bird
great
Bro lucia v3 tutorial
No. We don't use NEXT anymore