Do you think about security and wonder how you would even start to protect your projects?
Good security practice isn't really taught in any meaningful way when you first start out on the path to become a developer. "Because it's more secure" with no reasoning given is not educational and likely harmful, remember to always ask why because chances are this person's advice came from word of mouth.
I know I am guilty of several past transgressions but I don't want you to make the same mistakes or never feel compelled to ask why.
Where do I learn about Security?
In a digestible way you can learn about threats on the OWasp top 10. OWasp is a fantastic organization which keeps track of many trending ways of attacking a website, among other things they have the very current list of top 10 issues. You can also take training in the OWasp top ten from many training platforms.
Then it's my problem?
Yes, security is very much your problem to worry about because you need to learn to spot shoddy code which opens doors for attackers, the kind of doors which might as well have a sign saying hack me. But beyond this, you can enlist the help of applications to assist you in dealing with credentials, users, login, permissions and more, gone are the days of writing a login system and storing your email, username and passwords yourself.
Identity providers in a nutshell and in various forms, allow you to run an Access Management application, this kind of application runs alongside your main application, it could typically have its own database additionally you could manage how users register, login, and what access they have to view areas of an application or API.
Your application now has a login form provided by the Access Manager instead of you rolling your own, typically these are skinnable or you could just roll your own and call the api to authenticate and much more.
I work at ForgeRock, very proud of that, but I don't talk about it because I don't like to bring my work into my blog, I have no affiliated or official motives other than to say we are great and you should check us out if your looking for an enterprise solution.
But I'm not an enterprise?!
I have been grapling with the same conundrum for some time, I make a lot a lot a lot of stuff in my spare time, all of which tends to make me ask myself,
how can I even release this?!
I have a huge ethical responsibility to protect you, I don't have an Access Manager or the budget for such a tool.. Disclaimer: from here is my personal advice to you, not affiliated with any third party, you can't trust my advice blindly or anyone elses, take it with a pinch of salt, do the research to validate my claims
well good news, there are some basic open source options, and maybe they are good for large open source projects... But the best and simplistic way to solve this, use an OAuth2 provider or asking yourself, do I need user logins at all? If the former, then picking a provider you can trust.
When should I worry?
Always but especially if you take any personal information of any kind, emails, names anything like that is personal information which you must gaurd.
Cool 😎 any questions, I'm just a UI engineer but I could try to help just leave a comment and stay safe.