CODLIY · CLOUD & DEVOPS

Security by default: the OWASP items we refuse to skip

April 24, 2026 · 1 min read · 0 claps
Security by default: the OWASP items we refuse to skip

Security is not a sprint at the end — it is a handful of defaults baked into every project on day one.

The non-negotiables

  • Dependency review in CI, with weekly SCA reports reaching the engineering lead.
  • Explicit RBAC from the first migration. No "admin flag on the user model" shortcuts.
  • Signed URLs for every file the user should not enumerate.
  • Rate limiting on every write endpoint — measured, not guessed.
  • Audit log at the aggregate root, append-only, tamper-evident.

Secrets

Secrets live in a real secrets manager (AWS SSM, HashiCorp Vault). Not in .env files committed to a private repo, not in CI variables that nobody reviews.

The review that catches the most

Threat-model every user-supplied string. What if it is 10MB? What if it is binary? What if it is signed by a different key?
Tags Security AWS Architecture
Keep reading

Related Posts

Popular Posts
RAG without hype: a production checklist we actually use
RAG without hype: a production checklist we actu...
 230 claps
Laravel at scale: lessons from shipping a six-figure-user SaaS
Laravel at scale: lessons from shipping a six-fi...
 128 claps
Security by default: the OWASP items we refuse to skip
Security by default: the OWASP items we refuse t...
 112 claps
Zero-downtime deploys on a budget: Laravel + AWS in practice
Zero-downtime deploys on a budget: Laravel + AWS...
 97 claps
The design-to-code handover that actually works
The design-to-code handover that actually works
 76 claps