All cheatsheets

Cheatsheets

Network security

OWASP Top 10, TLS, auth & access, hardening, and security tooling.

Visualize

JWT anatomy

header.payload.signature — base64url, and what each part holds.

encoded token
..
payload
{
  "sub": "1234567890",
  "name": "Ada Lovelace",
  "role": "admin",
  "iat": 1700000000,
  "exp": 1700003600
}

claims: sub (subject), iat/exp (issued/expiry as unix seconds). Readable by anyone.

Header & payload are base64url — decode them with no secret. Never put secrets in a JWT; always verify the signature server-side.

TLS handshake — key exchange (3D)

Slow public-key crypto authenticates the server and agrees a fast symmetric session key; bulk data uses that.

Loading 3D…

25 entries

OWASP Top 108

Broken access control

Enforce authorization server-side; deny by default.

Cryptographic failures

Encrypt in transit & at rest; no weak ciphers

Injection

Parameterise queries; never concatenate untrusted input.

Insecure design

Threat-model; secure-by-design patterns

Security misconfiguration

Harden defaults, disable debug, patch

Vulnerable components

Track & update dependencies (SCA, SBOM)

Auth failures

MFA, rate-limit logins, rotate sessions

SSRF

Server-Side Request Forgery — validate/allow-list outbound URLs.

TLS & certificates6

TLS 1.3 handshake

Fewer round-trips; forward secrecy by default

Certificate chain

Leaf → intermediate → root CA

HSTS

Force HTTPS, prevent downgrade

mTLS

Mutual TLS — both client and server present certificates.

openssl s_client -connect host:443

Recipe: inspect a server's TLS and certificate.

Let's Encrypt / ACME

Free, automated certificates

Auth & access6

MFA / TOTP

Second factor beyond a password

OAuth 2.0 / OIDC

Delegated authz / authn on top

JWT

Signed token — always verify signature, expiry, and audience.

RBAC / ABAC

Role- / attribute-based access control

Least privilege

Grant only what's needed

Secrets management

Vault / KMS; never commit secrets

Hardening & tools5

Disable root SSH + key-only

Recipe: harden sshd against brute force.

Firewall (ufw/iptables)

Default-deny inbound, allow needed ports

fail2ban

Ban IPs after repeated auth failures

nmap / Burp / ZAP / sqlmap

Offensive tooling — authorized testing only.

Wireshark / tcpdump

Packet capture & analysis