How To Dev

Introduction Hashids is a small open-source library that generates short, unique, non-sequential ids from numbers. It helps secure the system by hiding the real database IDs, preventing users from guessing or scraping data via URLs. Advantages: Security: Hides real IDs, preventing exposure of data structure and the total number of records. Two-way transformation: Allows easy encoding and decoding without requiring storage in the database. High customization: Supports minimum length configuration and utilizes a distinct salt value to guarantee the generated strings are unique to your system. No collisions: The exact same ID and salt value will consistently produce the identical unique string. Limitations: Not true cryptography: Hashids does not employ strong encryption algorithms, meaning someone with the salt and the algorithm can still reverse the string. Therefore, do not use it to secure highly sensitive data. Dependency on Salt: If you lose or alter your Salt string, all prev...

Introduction CSRF (Cross-Site Request Forgery) is a type of attack targeting user sessions. Attackers trick the victim's browser into sending requests (accompanied by identification cookies) to websites where they are logged in without permission. To prevent CSRF, we have 3 main strategies: Method 1 : Check Origin / Referer headers Check if the Origin or Referer header matches the server domain. If they differ, block them immediately at the NextJS Proxy layer before forwarding to the server. Method 2 : Configure SameSite for Cookies When setting cookies for the client, you must set the SameSite=Strict or SameSite=Lax attribute. In this case, if the request originates from a different website, the browser will refuse to attach the Cookie, NextJS receives an empty request and will return a 401 Unauthorized error. Method 3 : Use CSRF Token Require the client to send a Token (generated randomly for each user or using JWT) in the Header. Since a fake site cannot have this token, the out...

Introduction In the previous article, I provided instructions on using NextJS Proxy to check API rate limits simply. However, that application method has the following scalability flaws: Using lru-cache only stores data in memory, so when scaling to multiple pods, the rate limit check will be incorrect because pods do not share data with each other. In actual deployment, you rarely let the NextJS server receive requests directly like that, but instead use additional CDNs (Cloudfront, Nginx) to take advantage of edge locations and their data caching capabilities. Therefore, in this article, I will provide a more comprehensive implementation from CDN, NextJS and NestJS servers to handle request spamming, including: Blacklist: automatically block IPs marked as attacking the system. Whitelist: add static IPs and only allow these IPs to use important services, such as allowing partner IPs to use services or deploying internal services accessible only via company VPN. Rate Limit: limit the n...