top circles
Let's not trust the frontend
Daniel Christensen
April 19th, 2021
Lesetid: 4 min read

Have you just finished your full-stack project and it's time to deploy for production? Well, that's perfect this post is spot on for you!

Server

The first thing to come to mind is probably getting a server, and yes you probably need one of those as well and I'd suggest going with Contabo as I personally think its the best bang for your buck, it a lot less managed though so if you want something that's more user friendly you can go with DigitalOcean.

App Security

But now let's get into the scary fun part, Security here is where you do need to be careful so you don't end up with a GDPR breach on day one, or even worse your database deleted! The first steps to good project security are to look over your current security measures both by double-checking your code as well as testing them out with tools such as Postman or BurpSuite (This goes for both web apps as well as any other forms of applications using web APIs). Setting these tools too is also super easy and Google is your friend in this scenario as all products are different! These tools can be used to send requests to an API endpoint, or even withhold requests until you modify them. A great example of this is, you have a cart API accepting JSON, here are some ways you could try messing with it!

Default (how frontend sends it)

{"itemID": 1,"amount": 1, "itemName": "Shoes"}

Example 1: In the first example we just modify the amount of shoes we want to 0.01, if this works and the backend allows it you would end up with shoes at 1% of the cost! Another example of this is - amount where you set the amount to a negative amount in order to make the total cheaper.

{"itemID": 1,"amount": 0.01, "itemName": "Shoes"}

Example 2: This one is if you have some sort of identifier and you for example use "itemName" for analytics, you should not use it for the actual order instead "itemID" should be looked up in the database and return the item! (You may also find things you don't need such as "itemName" if you need to fetch from the database regardless)

{"itemID": 1,"amount": 1, "itemName": "Shoes Worth More"}

This is one of many ways you can mess with your own code, and instead of making this task a boring one its more fun setting it up as a challenge such as "Am I able to break my own code", even though the answer for me has always been yes, I hope one day I can beat myself.

You should also check out OWASP that is an organization that focuses on security and has a lot of learning material to learn more about security. A fun learning tool they have is JuiceShop a website you can deploy for free on Heroku, where you get challenges and explanations on how to do more complicated exploits than the one shown above.

Server security

Securing your code is one thing but you have one more thing you gotta secure, that's your server. This is where your IPR, files, users, and so on will be and therefore it's very important the server is secure because you can have bulletproof application security but miss out on server security altogether, and then the app security is no good after all. Things id suggest doing here is making a server update schedule, this is where you set dates where you go in, and update security packages, etc. The reason for updating often is that usually you won't get notified if there is an exploit in your old NGINX for example and hackers do not use a long time to write automated scripts using these exploits. We are lucky that third-party software is becoming a lot safer now than before but it's still very important. The other aspect of the server is having a good password and a good firewall to protect against DDoS and other forms of attack. I also suggest having your domain behind Cloudflare if possible as they have very good DDOS protection and firewall without a lot of tweaking needed.

The bigger your codebase gets it might be harder to do this stuff yourself, and that's where we and our skills come in! We have special expertise in this field and we will do our best to meet your criteria! If this sounds interesting feel free to contact us at [email protected] or call +47 98332280! (of course a cheeky ad 😁)

Del denne artikelen
bottom circles