Learning path

Backend security for API and auth workflows

A practical route through identity, permissions, tokens, OAuth boundaries, browser risks, service accounts, secret handling, security event logs, audit logs, gateway controls, abuse prevention, rate limits, and safe API failure behavior.

11 guides and tools

Identity and access control

Separate identity, permissions, login state, delegated authorization, and protected resource checks.

9 guides and tools

Browser and cross-origin risks

Connect origins, credentials, cookie behavior, cookie hardening, preflight requests, CSRF, XSS, URL encoding, and browser-backed API calls.

13 guides and tools

Secure API behavior

Design gateway checks, rate limits, 401 and 403 responses, safe error messages, and useful debugging signals.

Start here

Pillar guides

These articles are the strongest entry points into the backend security cluster.

Related tools

Local tools for security debugging

Use these browser-based tools while inspecting tokens, encoded values, timestamps, API responses, and diffs.

Available tool

JWT Decoder

Decode JWT header and payload claims locally in your browser without uploading tokens or verifying signatures.

Open tool

Available tool

HTTP Status Code Lookup

Search common HTTP status codes locally in your browser with REST API usage notes, retry guidance, and backend examples.

Open tool

Available tool

Unix Timestamp Converter

Convert Unix timestamps to UTC and local dates, or convert date strings to seconds and milliseconds locally in your browser.

Open tool

Available tool

URL Encoder / Decoder

Encode full URLs, encode query parameters, and decode percent-encoded URL strings locally in your browser.

Open tool

Available tool

Text Diff Checker

Compare two text snippets locally in your browser with line-by-line differences for JSON, SQL, config files, logs, and API responses.

Open tool

How to study

Follow trust boundaries and failure modes.

Backend security is easier to reason about when you track where trust is created, delegated, stored, transmitted, refreshed, revoked, and checked. Each boundary should answer who the caller is, what they can do, what was verified, and what happens when verification fails.

Start with the Authentication Learning Path for identity and login architecture, then use this path to connect browser risks, API gateways, rate limits, and safe responses. For response shape and contract design, browse the API Design Learning Path.

FAQ

Backend security learning questions

What should backend developers learn first about security?

Start with authentication vs authorization, least privilege, service accounts, session and token tradeoffs, OAuth boundaries, CORS limits, CSRF, XSS, secret handling, security event logs, API abuse prevention, rate limits, and safe API error behavior.

Is CORS an authentication or authorization feature?

No. CORS is a browser enforcement mechanism for cross-origin requests. It does not prove who the user is and does not replace backend authorization checks.

Should API gateways be the only security layer?

No. Gateways can centralize routing, rate limits, and edge checks, but each service should still validate trust assumptions and enforce authorization for sensitive actions.

How do JWTs fit backend security?

JWTs can carry signed claims for API authorization, but backends must still verify signature, issuer, audience, expiration, scopes, roles, tenant context, and revocation strategy.