🔒 Security Best Practices

Welcome to the Security Best Practices tutorial! In this course, you'll learn how to use ECC to identify and fix security vulnerabilities — making your application as secure as a bank vault.

Prerequisites

It's recommended to complete TDD Masterclass and Custom Hooks before starting this tutorial.

🎮 Try Security Scanning Commands

ECC comes with powerful security auditing tools. Try these commands:

ECC Command Simulator

❯

Available Commands:

📚 Five-Layer Defense Model

Building Defense in Depth

Step 1 of 5

1

Layer 1: Input Validation — The Front Gate Security

Never trust user input! Input validation is the first line of defense. Like airport security — everything entering must go through the scanner. Use Zod for strict type and format validation.

// ❌ DANGEROUS: No validation
app.post("/api/users", (req, res) => {
  db.query(`SELECT * FROM users WHERE id = ${req.body.id}`)
})

// ✅ SECURE: Zod validation + parameterized query
import { z } from "zod"

const UserQuerySchema = z.object({
  id: z.string().uuid(),  // Must be valid UUID
  email: z.string().email().max(255),
  role: z.enum(["user", "admin"])
})

app.post("/api/users", (req, res) => {
  const validated = UserQuerySchema.parse(req.body)
  db.query("SELECT * FROM users WHERE id = $1", [validated.id])
})

💡Zod validates not just types but also formats (email/uuid/url). One line of code prevents SQL injection!

💻 Hands-on: Fix Security Vulnerabilities

Practice identifying and fixing common security vulnerabilities in the code playground:

Security Vulnerability Fix Exercisetypescript

// Security Fix Exercise // Identify and fix all security issues in this API import { z } from 'zod' // ❌ VULNERABLE API (5 security issues - can you find them all?) const API_KEY = "sk_live_abc123xyz" // Issue 1: ? export async function handleRequest(req: Request) { const body = await req.json() // Issue 2: No input validation const { email, password, role } = body // Issue 3: SQL injection risk const query = `SELECT * FROM users WHERE email = '${email}'` // Issue 4: Plain text password storage await db.execute(query) await db.execute( `INSERT INTO users (email, password, role) VALUES ('${email}', '${password}', '${role}')` ) // Issue 5: Sensitive data in response return Response.json({ success: true, password: password, apiKey: API_KEY }) } // ✅ TODO: Rewrite the function above with all fixes applied // Hints: // 1. Move secrets to environment variables // 2. Add Zod validation schema // 3. Use parameterized queries // 4. Hash passwords with bcrypt // 5. Never return sensitive data in responses

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

❓ Knowledge Check

❓

Which approach most effectively prevents SQL injection?

AFilter special characters (like quotes)

BUse Parameterized Queries

CLimit input length

DUse HTTPS

❓

What problem does a JWT without an expiration time cause?

APerformance degradation

BLarger token size

COnce leaked, the token is valid forever — attackers can use it indefinitely

DUnable to refresh the token

❓

What is the #1 security risk in the OWASP Top 10?

AXSS (Cross-Site Scripting)

BInjection attacks (e.g., SQL injection)

CBroken Access Control

DCSRF (Cross-Site Request Forgery)

🎉 Congratulations!

You've completed the Security Best Practices tutorial! You've mastered:

• ✅ Five-layer defense-in-depth model
• ✅ Zod input validation to prevent injection
• ✅ Secure JWT configuration and role-based authorization
• ✅ Secrets management with environment variables
• ✅ Dependency security auditing and HTTP security headers

📖 Next Steps

• Enterprise Patterns - Large-scale project architecture
• Performance Optimization - Performance analysis and tuning
• Custom Hooks - Create security audit hooks