Day 5: Secrets Management and Production Security Checklist | Auth and Security for Web Apps

Never Hardcode Secrets

API keys, database passwords, and JWT secrets hardcoded in source code get exposed in git history, logs, error messages, and accidental deployments. Environment variables are the minimum — secret managers are the standard for production.

.env — Local Development

# .env (local only — in .gitignore!)
DATABASE_URL=postgresql://localhost:5432/myapp
JWT_SECRET=super-long-random-string-at-least-32-chars
ANTHROPIC_API_KEY=sk-ant-...
GOOGLE_CLIENT_SECRET=GOCSPX-...

.gitignore — What Never to Commit

.env
.env.local
.env.*.local
*.pem
*.key
secrets/
node_modules/

Security Audit with Claude

# Use Claude to audit your security posture:

Prompt: "Review this Express application code for security
vulnerabilities. Check for:
- Hardcoded secrets or API keys
- SQL injection vulnerabilities
- Missing authentication on sensitive routes
- Insecure cookie configuration
- Missing rate limiting
- XSS vulnerabilities in response rendering
- Overly permissive CORS settings

[PASTE YOUR CODE]"

Production Security Checklist

[ ] All secrets in environment variables, not code
[ ] HTTPS enforced (redirect HTTP to HTTPS)
[ ] Security headers via helmet (CSP, HSTS, X-Frame-Options)
[ ] Rate limiting on all public endpoints
[ ] Passwords hashed with bcrypt (cost factor 12+)
[ ] JWT secrets are long (32+ chars) and rotated periodically
[ ] Cookies: httpOnly, secure, sameSite=strict
[ ] SQL queries parameterized (no string concatenation)
[ ] User input sanitized before rendering as HTML
[ ] Error messages don't expose stack traces in production
[ ] Dependencies audited: npm audit

Day 5 Exercise

Security Audit Your App

Run npm audit on your project. Fix any high-severity vulnerabilities.
Paste your main server file into Claude with the security audit prompt above.
Work through the production checklist — check off each item or add it to your code.
Run your app in production mode (NODE_ENV=production) and confirm error details are not exposed.

Course Complete — Secure Web Authentication

JWT authentication: stateless, scalable, with proper secret management and expiry.
OAuth 2.0: delegated login via Google/GitHub without managing passwords.
CSRF and XSS defenses: SameSite cookies, sanitized input, and Content Security Policy.
Rate limiting, bcrypt password hashing, and the production security checklist.

Want to go deeper in 3 days?

Our in-person AI bootcamp covers advanced AI development, agentic systems, and production deployment. Five cities. $1,490.

Back to course overview

→