Security

Trust, exposure, permissions, and safer defaults in application and API design.

January 29 2025

Trust Boundaries

How to think about security by asking who can trust whom instead of turning everything into a memorized checklist.

January 16 2025

Authentication vs Authorization

How to separate proof of identity from access decisions instead of treating login like it solves permissions by itself.

January 23 2025

Safer Inputs and APIs

How to treat external input with less naivety and design APIs that do not accept too much data for convenience.

February 14 2025

Authentication in SPAs: Why localStorage Is Usually a Bad Idea

How to think about storing credentials in the browser without turning implementation convenience into silent product risk.

January 27 2025

Thinking About Security in SPA, SSR, and APIs

How the design changes between client, server, and API without treating authentication, trust boundaries, and data exposure like the same conversation.