Related Roadmaps Find the detailed version of this checklist
With details on how to implement these
Backend Roadmap
API Security
DevOps Roadmap https://roadmap.sh
Authentication JWT (JSON Web Token)
Avoid ‘Basic Authentication’, use standard (e.g. JWT) Use good `JWT Secret` to make brute force attacks di!cult
Do not reinvent the wheel in authentication mechanisms. Do not extract the algorithm from the header, use backend
Use `Max Retry’ and jail features in Login. Make token expiration (TTL, RTTL) as short as possible
Use encryption on all sensitive data. Avoid storing sensitive data in JWT payload
Keep the payload small to reduce the size of the JWT token
Access Control OAuth
Always validate `redirect_uri’ on server-side
Limit requests (throttling) to avoid DDoS / Brute Force
Avoid `response_type=token’ and try to exchange for code
Use HTTPS on server side and secure ciphers
Use `state’ parameter to prevent CSRF attacks
Use HSTS header with SSL to avoid SSL Strip attacks.
Have default scope, and validate scope for each application
Turn o" directory listings
Private APIs to be only accessible from safe listed IPs
Processing
Input Check if all the endpoints are protected behind authentication
to avoid broken authentication process
User proper HTTP methods for the operation Avoid user’s personal ID in the resource URLs e.g. users/242/orders
Validate `content-type` on request header Prefer using UUID over auto-increment IDs
Validate user input to avoid common vulnerabilities Disable entity parsing if you are parsing XML to avoid XXE attacks
Use standard Authorization header for sensitive data Disable entity expansion if using XML, YML or any other language
Use only server-side encryption
Use CDN for file uploads
Use an API Gateway for caching, Rate Limit policies etc Avoid HTTP blocking if you are using huge amount of data
Make sure to turn the debug mode o" in production
Output Use non-executable stacks when available.
Send `X-Content-Type-Options: nosni"` header
CI & CD
Send `X-Frame-Options: deny` header.
Send `Content-Security-Policy: default-src 'none'` header.
Audit your design and implementation with unit/integration tests.
Remove fingerprinting headers (i.e. x-powered-by etc) Use a code review process and disregard self-approval.
Force `content-type` for your response. Continuously run security analysis on your code.
Avoid returning sensitive data (credentials, sec. tokens etc) Check your dependencies for known vulnerabilities.
Return proper response codes as per the operation Design a rollback solution for deployments.
Monitoring
More Resources
Use centralized logins for all services and components.
Use agents to monitor all requests, responses and errors.
Recommended Resources
Use alerts for SMS, Slack, Email, Kibana, Cloudwatch, etc.
Ensure that you aren't logging any sensitive data.
Use an IDS and/or IPS system to monitor everything.
Continue Learning with following relevant tracks
Backend Roadmap DevOps Roadmap
