How-To Guides
Step-by-step security guides for your stack
67 articlesHow to Hide Your API Keys (The Right Way)
Step-by-step guide to securing API keys in your vibe-coded app. Learn environment variables, .gitignore, and platform-specific secret management.
How to Add Secure Authentication to Next.js
Step-by-step guide to adding secure authentication to Next.js apps. NextAuth setup, middleware protection, session handling, and common security mistakes.
How to Add Security Headers to Your Web App
Step-by-step guide to adding security headers. Protect against XSS, clickjacking, and MIME sniffing with CSP, X-Frame-Options, HSTS, and more. Includes code examples for Express, Next.js, and nginx.
API Key Security Best Practices
Comprehensive guide to API key security. Learn storage, rotation, scoping, monitoring, and incident response best practices to protect your application.
How to Set Up Auth0 Securely
Complete guide to secure Auth0 setup. Configure applications, handle callbacks safely, validate tokens, implement authorization, and avoid common vulnerabilities.
How to Use AWS Secrets Manager
Step-by-step guide to storing and retrieving secrets with AWS Secrets Manager. Secure your API keys, database credentials, and sensitive config.
How to Handle SSL Certificate Renewal
Step-by-step guide to SSL certificate renewal. Set up automatic renewal with Certbot, monitor expiration dates, and troubleshoot common renewal failures.
How to Check for Exposed API Keys
Methods to verify your API keys aren't exposed in your codebase, git history, browser bundle, or network requests. Find leaked secrets before attackers do.
How to Secure Clerk Authentication
Complete guide to securing Clerk authentication. Set up middleware, protect routes, verify webhooks, manage users securely, and implement proper authorization.
How to Set Up Database Connection Pooling
Step-by-step guide to database connection pooling. Improve performance and security with PgBouncer, Prisma, and serverless connection management.
How to Set Up Content Security Policy (CSP)
Complete guide to Content Security Policy setup. Learn CSP directives, implement nonces, configure reporting, and create policies for common frameworks. Includes starter templates.
How to Set Up SSL for Custom Domains
Step-by-step guide to configuring SSL certificates for custom domains on Vercel, Netlify, and Cloudflare. Includes DNS configuration and troubleshooting.
How to Set Up Database Audit Logs
Step-by-step guide to implementing database audit logging. Track who accessed what data, when, and detect unauthorized access or data breaches.
How to Set Up Secure Database Backups
Step-by-step guide to implementing secure database backups. Automated backups, encryption, retention policies, and disaster recovery testing.
How to Encrypt Database Data
Step-by-step guide to database encryption. Implement encryption at rest, in transit, and application-level encryption for sensitive data.
How to Set Up .env Files - Complete Guide
Complete guide to setting up .env files for local development. Learn the dotenv package, file naming conventions, and how to keep secrets out of git.
How to Secure Drizzle ORM
Step-by-step guide to securing your Drizzle ORM setup. Safe SQL queries, input validation, and access control patterns for TypeScript applications.
How to Use Environment Variables - Complete Guide
Complete guide to environment variables for web apps. Learn how to set up .env files, access variables in code, and configure them across different platforms.
How to Secure File Uploads
Step-by-step guide to securing file uploads. File type validation, size limits, storage security, malware scanning, and preventing dangerous file execution.
How to Write Firebase Auth Rules
Step-by-step guide to securing Firebase with authentication-based security rules. Protect your Firestore and Realtime Database from unauthorized access.
How to Set Up Firebase Auth Securely
Step-by-step guide to setting up Firebase Authentication securely. Configure providers, integrate security rules, verify tokens server-side, and implement custom claims.
How to Write Firebase Security Rules
Complete guide to Firebase Firestore and Realtime Database security rules. Learn rule syntax, common patterns, testing, and debugging your Firebase security.
How to Implement Secure Form Validation
Step-by-step guide to secure form validation. Client and server-side validation, CSRF protection, honeypots for bot detection, and security best practices.
How to Use GitHub Secrets for Actions
Complete guide to GitHub Secrets for GitHub Actions. Store API keys, access tokens, and sensitive data securely in your CI/CD workflows.
How to Gitignore Sensitive Files
Prevent accidental commits of API keys, .env files, and credentials. Complete guide to configuring .gitignore for sensitive files in your project.
How to Hash Passwords Securely
Step-by-step guide to password hashing with bcrypt and Argon2. Why you should never use MD5 or SHA, and how to implement secure password storage in Node.js.
How to Hide API Keys - Secure Your Secrets
Step-by-step guide to hiding API keys in your web app. Use environment variables, .gitignore, and platform secrets to keep your keys safe from exposure.
How to Set Up HSTS (HTTP Strict Transport Security)
Complete guide to HSTS setup. Configure Strict-Transport-Security header, understand max-age, includeSubDomains, preload list submission, and avoid common mistakes.
How to Set Up HTTPS for Your Website
Step-by-step guide to enabling HTTPS with SSL certificates. Learn Let's Encrypt setup, platform-specific configuration for Vercel, Netlify, and manual server setup.
How to Secure Image Uploads
Step-by-step guide to securing image uploads. Image validation, resizing, EXIF metadata removal, storage security, and preventing image-based attacks.
How to Implement CSRF Protection
Step-by-step guide to implementing CSRF protection in Next.js and Express. Token-based protection, SameSite cookies, and when you actually need CSRF tokens.
How to Implement Rate Limiting in Your API
Step-by-step guide to implementing rate limiting. Protect your API from abuse with Upstash, Redis, or in-memory solutions. Includes Next.js and Express examples.
How to Implement JWT Security
Step-by-step guide to secure JWT implementation. Choose the right algorithm, handle token storage, implement refresh tokens, and avoid common vulnerabilities.
How to Implement Magic Link Authentication
Step-by-step guide to implementing secure magic link authentication. Passwordless login via email with proper security controls.
How to Fix Mixed Content Warnings
Step-by-step guide to finding and fixing mixed content on HTTPS sites. Learn to identify HTTP resources, update URLs, and use Content-Security-Policy to auto-upgrade requests.
How to Set Up MongoDB Authentication
Step-by-step guide to configuring MongoDB authentication. Create users, set up roles, enable access control, and secure your database connections.
How to Set Up Netlify Environment Variables
Complete guide to configuring environment variables in Netlify. Set up secrets for builds, functions, and different deploy contexts securely.
How to Configure Security Headers on Netlify
Step-by-step guide to adding security headers on Netlify. Configure via _headers file, netlify.toml, and Edge Functions. Includes CSP, HSTS, and all essential headers.
How to Set Up NextAuth.js Securely
Complete guide to secure NextAuth.js setup. Configure providers, protect API routes, secure sessions with database adapters, and implement middleware protection.
How to Set Up OAuth Authentication Securely
Step-by-step guide to implementing OAuth 2.0 securely. Use PKCE, validate tokens properly, and avoid common OAuth vulnerabilities.
How to Use Parameterized Queries
Step-by-step guide to using parameterized queries to prevent SQL injection. Examples for PostgreSQL, MySQL, MongoDB, and popular ORMs.
How to Implement Secure Password Reset
Step-by-step guide to implementing secure password reset flows. Prevent account takeover, token attacks, and enumeration vulnerabilities.
How to Set Up PostgreSQL Roles and Permissions
Step-by-step guide to PostgreSQL role-based access control. Create users, assign permissions, and implement least-privilege access for your database.
How to Prevent SQL Injection in Your App
Step-by-step guide to preventing SQL injection. Parameterized queries, ORMs, input validation, and common mistakes that leave your database vulnerable.
How to Secure Prisma ORM
Step-by-step guide to securing your Prisma ORM setup. Prevent injection attacks, handle raw queries safely, and implement proper access control.
How to Protect Against XSS Attacks
Step-by-step guide to preventing XSS in React and Next.js. Sanitizing user input, Content Security Policy, and common XSS patterns to avoid.
How to Protect Routes and API Endpoints
Step-by-step guide to protecting routes and API endpoints. Implement middleware patterns, authentication guards, authorization checks, and secure Next.js/React routes.
How to Set Up Railway Environment Variables
Complete guide to configuring environment variables in Railway. Set up secrets, use variable references, and manage configurations across services.
How to Implement Rate Limiting for Authentication
Step-by-step guide to rate limiting authentication endpoints. Prevent brute force attacks, credential stuffing, and account enumeration.
How to Remove Secrets from Git History
Clean secrets from your git history after accidental commits. Learn to use BFG Repo Cleaner and git filter-branch to remove exposed API keys from repository history.
How to Rotate API Keys - Emergency Response Guide
Emergency guide for rotating compromised API keys without downtime. Step-by-step instructions for Stripe, OpenAI, Supabase, and other common services.
How to Sanitize User Input
Step-by-step guide to sanitizing user input. HTML sanitization, XSS prevention with DOMPurify, server-side sanitization, and security best practices.
How to Enable Secret Scanning
Set up automatic secret detection in your repositories. Enable GitHub secret scanning, configure pre-commit hooks, and catch exposed API keys before they cause damage.
How to Secure API Keys in Your Web App
Step-by-step guide to securing API keys in web applications. Environment variables, server-side handling, key rotation, and what to do if keys are exposed.
How to Build a Secure Login Form
Step-by-step guide to building a secure login form. Prevent brute force attacks, handle credentials safely, and implement proper session management.
How to Implement Secure Session Management
Step-by-step guide to secure session management. Create, store, validate, and expire sessions properly to protect user accounts.
How to Set Up CORS Properly
Step-by-step guide to configuring CORS in Next.js, Express, and serverless functions. Avoid security mistakes and fix common CORS errors.
How to Set Up Supabase Row Level Security (RLS)
Step-by-step guide to setting up Row Level Security in Supabase. Enable RLS, write policies, test access, and avoid common mistakes that expose your data.
How to Set Up Supabase Auth Securely
Step-by-step guide to setting up Supabase Auth securely. Configure authentication, handle sessions, integrate with RLS, and set up social providers the right way.
How to Write Supabase RLS Policies
Learn to write effective Row Level Security policies in Supabase. Real examples for profiles, posts, teams, and multi-tenant apps with step-by-step explanations.
How to Test Supabase RLS Policies
Verify your Row Level Security policies work correctly. Learn SQL testing methods, browser testing, and automated testing strategies for Supabase RLS.
How to Implement Two-Factor Authentication (2FA)
Step-by-step guide to implementing TOTP-based two-factor authentication. Add 2FA with Google Authenticator, backup codes, and secure recovery.
How to Validate User Input Securely
Step-by-step guide to validating user input. Zod schemas, server-side validation, common validation patterns, and why client-side validation isn't enough.
How to Use HashiCorp Vault for Secrets Management
Step-by-step guide to setting up HashiCorp Vault for secrets management. Store, access, and rotate secrets securely in your applications.
How to Set Up Vercel Environment Variables
Complete guide to configuring environment variables in Vercel. Set up secrets for production, preview, and development environments with proper security.
How to Configure Security Headers on Vercel
Step-by-step guide to adding security headers on Vercel. Configure via vercel.json, Next.js middleware, and edge functions. Includes CSP, HSTS, and all essential headers.
How to Validate Input with Zod
Step-by-step guide to input validation with Zod. Schema definition, API validation, form validation with React Hook Form, custom validators, and error handling.