Lesson 3 — Practical Cryptography Hygiene

Topics

• Distinguish hashing, encryption, and signing
• Choose safe password hashing parameters
• Understand key rotation at a practical level
• Recognize token entropy requirements
• Use Node.js cryptography libraries safely at a practical level
• User registration and login
• Secure session-based authentication
• Authorization and ownership checks
• Rate limiting and abuse resistance
• CSRF-aware design for cookie-based flows
• Threat modeling and security review habits
• Add a users table and authentication endpoints
• Use server-side sessions backed by a Postgres table. Do not use JWT for TaskFlow v3.
• Associate each task with a user
• Enforce that users can only access their own tasks unless explicit permissions are granted
• Add rate limiting to login and other sensitive endpoints
• Protect cookie-based flows correctly
• Record security-relevant actions in audit logs
• Write a threat model for authentication and authorization flows
• Add negative tests for broken access control and malformed requests
• Updated repository
• Threat model document
• Security test cases
• README section describing authentication choices
• Short note explaining authorization policy design

This lesson is finished