Mar 29 · 14 min read · How to Secure an API: The 4-Layer Framework That Works APIs are the backbone of every modern app. They are also the most common entry point for attackers. Most developers bolt security on as an afterthought: one middleware, one config flag, one if us...
Join discussion
Feb 15 · 2 min read · You can have the cleanest React code, the fastest API, and the most beautiful UI. But if I can inject a script into your search bar that steals your users' session cookies, your startup is dead. Security is not an "add-on." It is a fundamental requi...
Join discussion
Feb 12 · 10 min read · Why Traditional CSRF Protection Fails in Modern Architectures Classic CSRF protection relied heavily on server-side session storage, where a synchronizer token was generated per session and validated against session state. This approach worked well f...
Join discussionJan 26 · 4 min read · Cross-Site Request Forgery (CSRF) is an attack where a malicious website tricks an authenticated user into performing an unwanted action on a trusted site where the user is currently logged in. Because browsers automatically send cookies (including s...
Join discussionJan 8 · 3 min read · The Problem Imagine you're logged into bank.com. While browsing the web, you visit evil.com which contains this innocent-looking link: Win a Free iPhone! 🎁 When you click, your browser sends the request to bank.com with your authentication cookies a...
Join discussionDec 31, 2025 · 9 min read · Have you ever logged into your favorite website, closed it, and then returned to find yourself still logged in? Or maybe you’ve noticed that some websites remember your preferences (like theme or language) every time you visit? It’s all because of we...
Join discussion
Dec 15, 2025 · 4 min read · 前後端分離是近幾年非常熱門的架構概念,其實早在十多年前就已被提出。 在早期的實務中,前後端分離常搭配 SPA 與 CSR(Client-Side Rendering)實作,但在當時的搜尋引擎環境下,CSR 對 SEO 並不友善。 原因在於 CSR 的頁面在初始請求時只回傳空的 HTML 殼,實際內容與 meta 資訊需等 JavaScript 在瀏覽器端執行後才生成;而以前搜尋引擎爬蟲並不會執行 JavaScript(現在google有針對爬蟲做出調整,但執行時機、資源配額與錯誤容忍度仍不保證即...
Join discussionDec 8, 2025 · 2 min read · HTTP Cookies are small pieces of data created by a web server while a user is browsing a website and stored on the user’s device by their web browser. When a user visits a website, the browser automatically sends any cookies that belong to that site ...
Join discussion
