Basic security awareness

Five non-negotiable rules every engineer must follow

⏱ Est. ~5 min

01 · Read

You don't have to be a security expert. But you absolutely have to avoid the mistakes that cause most security incidents.

The truth is that most security incidents aren't caused by sophisticated hackers. They're caused by engineers forgetting the basics: leaving passwords in source code, not validating user input, HTTP endpoints that should have been HTTPS.

These five rules keep you out of trouble. They're not optional — they're the minimum bar for writing code other people can trust.

02 · Read

Memorize these five rules. They cover most of the security mistakes junior engineers make.

Key points

Never commit secrets: API keys, passwords, tokens → .env + .gitignore
Never trust user input: sanitize anything that comes from a form or URL before using it
Always use HTTPS: anything real doesn't use HTTP — data in transit must be encrypted
Keep dependencies updated: run npm audit regularly to find known vulnerabilities
Don't log sensitive data: never console.log(password) or log tokens in production

03 · Read

You just got an app to review before it ships. Let's see how many security violations you can find with cat and grep.

04 · Terminal exercise

First, read the full source. Look for anything that violates the five security rules you just learned.

(This section is interactive — please enable JavaScript.)

05 · Terminal exercise

Now use grep to find all possible security violations at once — anything that looks like a password, secret, or key.

(This section is interactive — please enable JavaScript.)

06 · Code example

Here's what the fixed version looks like. Compare it to what you saw — every security violation is addressed.

app.js — security issues fixed

require('dotenv').config();
const express = require('express');
const app = express();

// Secrets from .env, not hardcoded
const API_SECRET = process.env.API_SECRET;

app.post('/login', (req, res) => {
  // POST body, not URL query string
  const { username, password } = req.body;
  console.log('Login attempt:', username);
  // No password logged! Compare with hashed version in DB
});

app.listen(process.env.PORT || 3000, () => {
  console.log('Server running');
  // No secrets logged!
});

The fixes: (1) secrets moved to .env via dotenv, (2) login uses POST (body) instead of GET (URL), (3) only log the username — never log the password, (4) no hard-coded password comparison — use a proper auth system with hashed passwords, (5) startup logs don't leak secrets.

07 · Quiz

Which of these should never be committed to git?

package.json
A .env file containing API keys
index.html
README.md

08 · Fill in the blank

To check your project's dependencies for known vulnerabilities, run npm _____.

Other lessons in this chapter

⚠ The full interactive experience needs JavaScript. Please enable it and reload.

※ This is an independent Traditional Chinese teaching project — not an official Anthropic product. Claude™ is a trademark of Anthropic, PBC.