Cheatsheets
Network security
OWASP Top 10, TLS, auth & access, hardening, and security tooling.
Visualize
JWT anatomy
header.payload.signature — base64url, and what each part holds.
{
"sub": "1234567890",
"name": "Ada Lovelace",
"role": "admin",
"iat": 1700000000,
"exp": 1700003600
}claims: sub (subject), iat/exp (issued/expiry as unix seconds). Readable by anyone.
Header & payload are base64url — decode them with no secret. Never put secrets in a JWT; always verify the signature server-side.
TLS handshake — key exchange (3D)
Slow public-key crypto authenticates the server and agrees a fast symmetric session key; bulk data uses that.
25 entries
OWASP Top 108
Broken access controlEnforce authorization server-side; deny by default.
Cryptographic failuresEncrypt in transit & at rest; no weak ciphers
InjectionParameterise queries; never concatenate untrusted input.
Insecure designThreat-model; secure-by-design patterns
Security misconfigurationHarden defaults, disable debug, patch
Vulnerable componentsTrack & update dependencies (SCA, SBOM)
Auth failuresMFA, rate-limit logins, rotate sessions
SSRFServer-Side Request Forgery — validate/allow-list outbound URLs.
TLS & certificates6
TLS 1.3 handshakeFewer round-trips; forward secrecy by default
Certificate chainLeaf → intermediate → root CA
HSTSForce HTTPS, prevent downgrade
mTLSMutual TLS — both client and server present certificates.
openssl s_client -connect host:443Recipe: inspect a server's TLS and certificate.
Let's Encrypt / ACMEFree, automated certificates
Auth & access6
MFA / TOTPSecond factor beyond a password
OAuth 2.0 / OIDCDelegated authz / authn on top
JWTSigned token — always verify signature, expiry, and audience.
RBAC / ABACRole- / attribute-based access control
Least privilegeGrant only what's needed
Secrets managementVault / KMS; never commit secrets
Hardening & tools5
Disable root SSH + key-onlyRecipe: harden sshd against brute force.
Firewall (ufw/iptables)Default-deny inbound, allow needed ports
fail2banBan IPs after repeated auth failures
nmap / Burp / ZAP / sqlmapOffensive tooling — authorized testing only.
Wireshark / tcpdumpPacket capture & analysis