Security & Compliance
Secure your systems from day one. Authentication, authorization, GDPR compliance, and secure API design.
Beginner
Authentication vs Authorization — The Difference That Matters
Authentication proves who you are. Authorization decides what you can do. These are different problems with different solutions — and confusing them leads to serious security bugs.
HTTPS & TLS — How Your Data Stays Private in Transit
A clear explanation of what happens during a TLS handshake, how certificates work, what root CAs are, and what can still go wrong even when the padlock is green.
Security Interview Prep — Junior Level (50 Questions)
50 interview questions and answers covering what junior developers are expected to know about web security: OWASP basics, authentication vs authorization, XSS, SQL injection, JWT, HTTPS, CORS, GDPR, and more.
OWASP Top 10 — The Most Common Security Mistakes Developers Make
A plain-English breakdown of the OWASP Top 10 2021 — what each vulnerability is, how attackers exploit it, and exactly how to prevent it in your code.
Password Security — Why bcrypt Exists and How to Store Passwords Correctly
Why you never store plaintext passwords, why MD5 is wrong for passwords, how bcrypt and Argon2 work, and how to implement proper password storage in C# with ASP.NET Core Identity and BCrypt.Net.
Web Security Fundamentals — What Every Developer Must Know
A practical guide to HTTP vs HTTPS, TLS, cookies, CORS, same-origin policy, and security headers — the building blocks every developer needs before writing a single line of auth code.
Intermediate
RBAC in TypeScript: Role-Based Access Control from Backend to Frontend
Ad-hoc permission checks scatter access control logic across every route and component. RBAC centralises it in one typed file. This guide builds the full implementation in TypeScript — role definitions, Express middleware, React hooks, and a single-file change that propagates across your entire stack.
FHIR R4: Modeling Clinical Data
Learn FHIR R4 — the international standard for healthcare data exchange. Model Patient, Appointment, Observation, Condition, and Practitioner resources. Query with RESTful FHIR APIs in .NET and Python.
HIPAA on AWS: Rules, Business Associate Agreements & Covered Services
Understand HIPAA compliance on AWS — what PHI is, which AWS services are HIPAA-eligible, how to sign a BAA, and the technical safeguards every healthcare application must implement.
CSRF — Cross-Site Request Forgery and How to Prevent It
How CSRF attacks work step-by-step, SameSite cookies as the modern defense, CSRF tokens, ASP.NET Core's built-in protection, and why JWT APIs are naturally immune.
GDPR for Developers — What You Actually Need to Implement
The six lawful bases, what counts as personal data, data minimization, consent management, right to erasure, data export, retention policies, breach notification, and GDPR vs HIPAA vs CCPA.
JWT Deep Dive — Structure, Attacks, and What Senior Devs Do Differently
Understand JWT structure, base64url encoding, signing algorithms, critical attacks like alg:none and algorithm confusion, token storage trade-offs, refresh token rotation, and revocation strategies.
OAuth 2.0 Flows Explained — Which One to Use and Why
The four OAuth 2.0 flows plus PKCE, which are deprecated and why, scopes, token types, and a real Authorization Code + PKCE walkthrough for a React SPA calling a .NET API.
RBAC vs ABAC — Choosing the Right Authorization Model
Role-Based vs Attribute-Based vs Relationship-Based Access Control with real examples, ASP.NET Core implementation, and guidance for healthcare and multi-tenant apps.
Secrets Management — Stop Putting Credentials in Your Code
Why secrets in code is catastrophic, the secrets management ladder from env vars to Azure Key Vault, secrets rotation, scanning git history, and what to do after an accidental commit.
SQL Injection — Still the #1 Attack After 25 Years
How SQL injection works, classic login bypass, UNION and blind attacks, the parameterized query fix, EF Core pitfalls, second-order injection, and NoSQL injection.
XSS — How Attackers Steal Sessions and How You Stop Them
The three types of XSS with real attack examples, Content Security Policy, output encoding, React's auto-escaping, DOMPurify, HttpOnly cookies, and CSP nonces.
Advanced
OWASP Top 10 for .NET Developers — Vulnerabilities, Examples, and Fixes
Walk through all 10 OWASP Top 10 vulnerabilities with .NET-specific attack scenarios and C# code showing both the vulnerable pattern and the correct fix. Practical, not theoretical.
Secrets Management in .NET — From User Secrets to Azure Key Vault in Production
Stop putting secrets in source control. Learn how dotnet user-secrets works for development, how to wire Azure Key Vault with managed identity for production, and how to rotate secrets without restarting your service.
LLM Security in Production: Prompt Injection Defense Playbook
Defend AI systems against prompt injection, data leakage, insecure tool use, and policy bypass with practical architecture controls.
HIPAA & GDPR in Healthcare Systems: A Developer's Complete Implementation Guide
How developers actually implement HIPAA and GDPR compliance — PHI encryption, audit logging, RBAC, consent management, right to erasure, BAA requirements, AWS HIPAA-eligible services, de-identification, breach notification pipelines, and production .NET + Python code for every requirement.
API Security Checklist — Everything to Check Before You Ship
A production-ready security checklist for REST APIs. Authentication, authorization, input validation, transport security, headers, rate limiting, logging, error handling, dependencies, and secrets — with actionable pass/fail criteria for each.
Security Interview Prep — Senior Level (50 Questions)
50 in-depth security interview questions for senior and lead developers. Covers JWT algorithm confusion, OAuth 2.0 PKCE, mTLS, SSRF, timing attacks, bcrypt vs Argon2, multi-tenant API design, GDPR technical requirements, CI/CD security, and incident response.
Penetration Testing Basics — How to Test Your Own API's Security
Learn the difference between vulnerability scanning and penetration testing, then use OWASP ZAP and Burp Suite to test authentication, authorization, injection, and rate limiting in your own APIs.
Supply Chain Security — The Attacks Developers Ignore
SolarWinds. Log4Shell. event-stream. Learn why supply chain attacks succeed, how to detect vulnerable dependencies in .NET and npm, generate SBOMs, and implement SLSA build provenance.
Threat Modeling — Think Like an Attacker Before They Do
Learn how to threat-model a REST API using STRIDE, build data flow diagrams with trust boundaries, score threats with DREAD, and translate findings into security requirements and test cases.
Zero Trust Architecture — Never Trust, Always Verify
The perimeter is dead. Learn how Zero Trust replaces VPN-based security with identity-driven, microsegmented, continuously verified access for modern .NET microservices on Azure.