Security Checklist for Full Stack Web Developers (opens in new tab)

(blog.logrocket.com)

65 pointsbenthehenten8y ago10 comments

10 comments

9 comments · 3 top-level

flavio818y ago· 3 in thread

TL;DR: The advice is:

"use Open source software", "add logging", "set all pages to HTTPS" and follow a "top 10 list of the most critical security threats"

Sad state of things.

The concept of having your work done by "Full Stack Developer" will not be nice for opening up potential security holes, in my opinion.

Additionally, I don't think there exists a real "Full Stack" dev, and I'm not alone in this opinion; click anywhere:

https://medium.com/swlh/the-full-stack-developer-is-a-myth-4...

https://news.ycombinator.com/item?id=10182936

http://andyshora.com/full-stack-developers.html

https://frontendmasters.com/books/front-end-handbook/2017/pr...

https://vitamintalent.com/blog/the-myth-of-the-full-stack-de...

https://techcrunch.com/2014/11/08/the-rise-and-fall-of-the-f...

https://www.propelrr.com/blog/ux/full-stack-web-developer.ht...

danielharrison8y ago

Proper full stack devs are rare, but they do exits, and they're worth their weight in gold to any company with under 50 staff. I've been 'full stack' my entire career but it takes a long time to actually become a competent full stack dev.

A proper full stack dev can make design and implementation decisions at all levels, while being able to visualise the affect of those changes over the entire system, in detail, at low level. They're also able to communicate these changes not only to a uber-low-level introverted developer, they're also able to sit with the CEO/CTO and rationalise their decision in terms of cost and savings.

And of course, they're able to drop anchor, exit the elevator at any level and get on the tools.

anarchy88y ago

Not every company can afford to have a person dedicated to security. No full stack developer is a complete generalist -- everyone specializes naturally. The point is that they are comfortable doing a wide range of tasks. For some people that might make more sense.

flavio818y ago

> Not every company can afford to have a person dedicated to security

But even in a team of 2 people you can have a good front-end developer and a good back-end developer.

cl0rkster8y ago· 2 in thread

I'm not sure that logrocket belongs on such a "security" checklist. While I understand the value that they propose to offer, I'm not sure that wholesale recording your users' sessions and then sending them to a third-party server for storage and retrieval really meshes with my idea of security - especially if the site contains PII. I fully understand that you can intentionally do work to hide that information from logrocket, but that is putting a lot of trust in both devs and in logrocket to get that one right.

While there may be such a tool, I'm not aware of something like this that runs as a first party script and uses local storage. It would indeed be very useful to escape the logs->screenshots->can't reproduce cycle mentioned.

benthehentenOP8y ago

I'm on the LogRocket team.

Your concern is fair, though many modern analytics tools can capture PII if not properly configured. It is important when using any such tools, including LogRocket, that developers understand the scope of the data collected and properly censor things like SSN, Credit Cards, or health data.

Some of our more security-conscious customers also just run LogRocket on their own servers with our self-hosted version. In this case, the script becomes first party, and they can configure behavior where no data leaves the client unless a user specifically gives permission.

cl0rkster8y ago

That is awesome to hear that there is a self-hosted version. I was reading through your docs hoping to find something like that. Is there somewhere on your site that I missed which gives more details about this?

1 more reply

gandreani8y ago· 1 in thread

> In Node, if you use Express (find out in the next article why you shouldn’t , but most people do)

Now that's just mean. Why can't he just say it there!

rawnlq8y ago

Some more links that are express specific:

https://expressjs.com/en/advanced/best-practice-security.htm...

https://blog.risingstack.com/node-js-security-checklist/

I am also curious to know what's wrong with express.

j / k navigate · click thread line to collapse