Security topics that come up in code review — OAuth2 vs OIDC, JWT pitfalls, OWASP top 10 in practice, secrets management, mTLS, and the auth design choices that prevent the postmortem.
3 articles · updated regularly
A .env file committed once lives in git history forever. Real secrets management is about rotation, scoping, and never letting a credential touch disk in plaintext.
OAuth gives you authorisation. OIDC gives you authentication. Treating them as the same is how 'Sign in with X' became a security punchline.
JWTs are not a session system. They are a signed claim. Confusing the two is how teams ship subtle auth bugs.