Ali Elderov’s Post

The "Localhost" Lie: Why my code failed locally but worked on IP I spent yesterday chasing a ghost in my development environment. The Scenario: I canceled an API request in my Angular frontend. ✅ Chrome Network tab: "Cancelled" ❌ Backend (ASP.NET Core): CancellationToken never triggered. The server kept crunching data. The Investigation: I tested every combination to isolate the issue: localhost:4200 (Via Proxy) ➡ Failed ip:4200 (Via Proxy) ➡ Failed localhost:5012 (Direct Backend) ➡ Failed ip:5012 (Direct Backend) ➡ ✅ Success! The "Aha!" Moment: Why did hitting the backend via IP work when Localhost failed? They are the exact same server! The Culprit? Protocol Negotiation. 🔹 Via Proxy (:4200): The Angular/Node proxy was "swallowing" the cancellation signal, never forwarding it to the backend. 🔹 Direct Localhost (:5012): Chrome treated localhost as a "Secure Context," negotiated HTTP/2, and sent a RST_STREAM frame. The server stack didn't map this logical frame to the token correctly. 🔹 Direct IP (:5012): Chrome saw an invalid cert for the IP, forced a downgrade to HTTP/1.1, and killed the TCP connection. The server had to listen to the hard socket close. The Takeaway: Handling request cancellation is a major, often overlooked part of development. Proxies often block disconnect signals by default. Localhost behavior != Production behavior due to HTTP/2. If you aren't testing your CancellationTokens, you're likely paying for "Zombie Requests" in production. Has anyone else battled the HTTP/2 ghost in.NET? #SoftwareEngineering #DotNet #Angular #WebDevelopment #Debugging

New Open-Source Release Bots, scanners, and automated traffic are common in Node.js APIs. Instead of trying to 100% detect humans, I built a small privacy-first Node.js package that takes a more practical approach: 👉 Score HTTP requests (0–100) based on risk, not certainty. request-risk-score No browser fingerprinting No external or paid APIs Explainable signals SEO-safe (handles crawlers carefully) 📦 npm package: https://lnkd.in/g2xfB-KG Blog link:https://lnkd.in/gcTDDwaX Built for developers who want visibility and control, not black-box blocking. Feedback welcome 🙌 #nodejs #opensource #security #api #javascript

✴️ Let’s talk about React2Shell (CVE-2025-55182) — a critical vulnerability that affected thousands of production applications worldwide using React Server Components and Next.js. This flaw allows attackers to take over a server without login, without user interaction, and with a single crafted request. 🚨 The Technical Failure: ➡️ The server accepted a specially crafted POST request that looked like normal app data ➡️ That request contained pointers (references) telling the server to jump between internal objects ➡️ Those pointers were used to reach built-in JavaScript functions through the prototype chain ➡️ During data processing, the server mistakenly executed a function instead of just reading data ➡️ In short: attacker-controlled input was deserialized and turned into live server-side code ⚠️ This is not just bad input validation. This is data being allowed to become executable logic. ⚡ The Result: ➡️ Attackers can run commands on the server ➡️ Steal API keys, secrets, and environment variables ➡️ Read or modify databases ➡️ Take full control of apps built with React Server Components and Next.js ✅ The Lesson for System Architects: Security is defined by execution boundaries, not just features. You must know what data is allowed to become code — especially when introducing new frameworks, libraries, or architectural patterns. Pulling in a new dependency without understanding its internal trust model can silently expose your entire system. 💡💡💡 At Tech-Moody: This is exactly the class of architectural risk we specialize in eliminating. Our teams design and review systems where: ✔️ User input is never allowed to influence code execution paths ✔️ Deserialization is treated as a high-risk boundary, not a safe utility ✔️ Framework internals and third-party libraries are reviewed as potential attack surfaces ✔️ System-level operations are isolated and sandboxed by design ☑️ If external input can reach your execution layer through libraries or framework internals, your architecture hasn’t just failed — it was never safe to begin with. #CyberSecurity #SystemDesign #React #NextJS #RCE #ZeroTrust #EnterpriseSecurity #InfoSec #JavaScript

APIs aren’t always the best solution anymore. Next.js 15 makes Server Actions feel like a practical alternative to the “build an API route for every mutation” habit. Instead of wiring up a route handler, a client fetch, loading states, and error handling, you can run a server function directly from the UI flow using the use server pattern and form actions. That reduces glue code and keeps mutation logic closer to the component that owns it. Where Server Actions shine is anything UI-driven and internal. Form submissions, database writes, updating user settings, and small mutations that exist purely to support a page or feature. You get a simpler mental model, and Next.js includes protections like origin checks and configuration options for Server Actions. API routes still matter, and they are often the right choice when you need a real endpoint. If you’re handling webhooks, integrating with third-party services, supporting mobile clients, exposing public APIs, or building anything that must be called outside your Next.js UI, route handlers are the clearer and more scalable contract. The rule I follow is simple. Use Server Actions when the caller is your own UI and the job is a mutation. Use API routes when the caller could be anything else, or when you need a stable interface for external systems. Also, Server Actions are generally positioned for mutations rather than data fetching, so I keep reads in server components, route handlers, or dedicated data layers depending on the app. Next.js 15 doesn’t kill APIs. It just removes the need to build them by default for every internal interaction. The best teams use both, intentionally. #NextJS15 #FullStack #ServerActions #APIRoutes #ReactServerComponents #WebDevelopment #JavaScript #TypeScript #Frontend #Backend #SoftwareArchitecture #Vercel #EngineeringBestPractices #DeveloperExperience

Getting tired of vulnerability noise, too? Unfortunately, Node.js just disclosed a vulnerability that affects virtually every production Node.js app. If you use: • React Server Components • Next.js • Any APM or observability tooling (Datadog, New Relic, OpenTelemetry) …you could be exposed to denial-of-service attacks. The bug lives deep in Node.js internals (async hooks), which is why the blast radius is so wide – popular frameworks and tooling pull this code path in by default. Patches are available, so roll them out fast. And as always, proper user input sanitization is critical. If the constant cycle of urgent CVEs feels unsustainable, it's not a tooling failure – it’s the reality of modern software. And that's exactly the pain we’re solving at Echo. Our customers get secure images and fast security updates, so responding to issues like this doesn’t become a full-blown fire drill. Today it’s Node.js, tomorrow it’ll be something else. So reduce your attack surface with secure infrastructure and minimal runtime components to limit what can happen when the next one hits.

𝗧𝗵𝗲 𝗜𝗺𝗽𝗼𝗿𝗍𝗮𝗻𝗰𝗲 𝗢𝗳 𝗗𝗲𝗯𝗴𝗴𝗶𝗻𝗴 𝗠𝗲𝗺𝗼𝗿𝘆 𝗟𝗲𝗮𝗸𝘀 𝗜𝗻 𝗝𝗮𝗵𝗮𝘀𝗰𝗿𝗶𝗽𝘁 You need to ensure your web application is stable and secure, especially during high traffic. Memory leaks can cause big problems, like slow performance or service outages. As a developer, you can use tools to find and fix memory leaks. JavaScript has automatic garbage collection, but it's not perfect. Leaks can happen due to leftover references in closures, global variables, or event listeners. To fix leaks, you need to isolate the problem. Use browser developer tools or Node.js profiling tools. Take heap snapshots to compare memory states over time. For server-side debugging, use Node.js with Chrome DevTools. You can also use code to track heap size: - Take periodic heap snapshots - Check for steadily increasing heap size - Focus on event listeners, global variables, and closures Security is tied to memory management. Leaks can be used for denial-of-service attacks or data exposure. Use tools like Heap Profiler and audit your code regularly. Implement automated memory profiling in your CI pipelines. Monitor and clean up memory to keep your system secure. Source: https://lnkd.in/g3TEPU4g

Most Node.js APIs still rely on default JSON parsing, allowing duplicate keys, prototype pollution payloads, and deeply nested JSON to reach application logic before validation begins. @pas7/nestjs-strict-json was designed to enforce strict JSON parsing at the parser level for NestJS, Express, and Fastify. It rejects: • duplicate JSON keys • prototype pollution payloads • excessive depth / JSON DoS patterns • disallowed key paths via whitelist/blacklist Provides unified secure parsing across frameworks, structured error codes for monitoring, and production-oriented performance optimizations. For APIs that process external JSON, parser-level security should be a standard part of the stack. npm: https://lnkd.in/d566_iMc github: https://lnkd.in/dThJFAjV full post: https://lnkd.in/dFDT4Acb #nestjs #nodejs #backend #websecurity #expressjs #fastify #typescript #opensource

🔐 JWT Authentication with Node.js & Express: JWT-based authentication is something every backend or full stack developer ends up using, and it’s one of those concepts that really clicks once you break it down 👇 Here’s the flow I follow: ✅ Access Token: 1. Short-lived (e.g. 10–15 minutes) 2. Sent with every request (usually in the Authorization header) 3. Used to verify the user and access protected routes 4. If it expires -> user can’t access APIs ✅ Refresh Token: 1. Long-lived (days or weeks) 2. Stored securely (HTTP-only cookies / DB) 3. Never used to access APIs directly 4. Only used to generate a new access token 🔄 What happens when the access token expires? 1. Client sends the refresh token to a "/refresh" endpoint 2. Server verifies the refresh token 3. If valid -> generates a new access token 4. Client retries the original request with the new token This setup: 1. Improves security (short-lived access tokens) 2. Avoids forcing users to log in again and again 3. Makes token rotation and revocation possible 🧠 Key takeaway: Access tokens are for authorization, refresh tokens are for renewal. Mixing the two is where most bugs and security issues start. If you’re building APIs with Node.js, Express, JWT, and MongoDB, this pattern is absolutely worth noting. #NodeJS #ExpressJS #JWT #Token #WebSecurity #Authentication #BackendDevelopment #FullStack

Cookies vs Sessions vs Tokens — Authentication Made Simple After working with the MERN stack, one thing I’ve realized is: Authentication is not just about login working. It’s about security, scalability, and architecture. Here’s a simple breakdown Cookies Stored in the browser Automatically sent with every request Can be marked as HttpOnly and Secure Often used with session-based authentication Good for storing small, controlled data. Sessions Data stored on the server Client only stores a session ID (usually in a cookie) Server maps session ID to user data Pros: Easy to implement Good security control Cons: Harder to scale (server memory usage increases) Best for small to medium apps. Tokens (JWT) Server generates a signed token Client stores and sends token in headers Server verifies signature on every request Stateless authentication Pros: Highly scalable No server-side session storage Perfect for APIs & microservices That’s why most modern MERN applications use JWT. My takeaway after building real-world projects: Small internal app → Sessions work fine Production scalable system → JWT with proper security practices Authentication is not a feature. It’s a responsibility. Still learning. Still building secure systems. #mernstack #nodejs #backenddeveloper #authentication #jwt #websecurity #fullstackdeveloper #javascript

🔹 𝗛𝗧𝗧𝗣 𝗥𝗲𝗾𝘂𝗲𝘀𝘁 𝗛𝗲𝗮𝗱𝗲𝗿𝘀 — 𝗮 𝗾𝘂𝗶𝗰𝗸, 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝗴𝘂𝗶𝗱𝗲 If you build or consume APIs, headers are one of those tiny things that quietly decide whether integrations are smooth or a nightmare. Here’s a short, actionable breakdown you can use day-to-day. 𝗪𝗵𝗮𝘁 𝗮𝗿𝗲 𝗵𝗲𝗮𝗱𝗲𝗿𝘀? Key–value pairs sent with requests that describe metadata: format, client info, caching, security, and more. 𝗚𝗲𝗻𝗲𝗿𝗮𝗹 𝗵𝗲𝗮𝗱𝗲𝗿𝘀 (request & response) • Connection: keep-alive — controls connection reuse • Cache-Control: no-cache — caching rules • Date — when the message was sent 𝗖𝗼𝗺𝗺𝗼𝗻 𝗿𝗲𝗾𝘂𝗲𝘀𝘁 𝗵𝗲𝗮𝗱𝗲𝗿𝘀 • Accept: application/json — what the client can handle • Content-Type: application/json — format of the body you send • User-Agent — client identity • Host — target domain 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆-𝗿𝗲𝗹𝗮𝘁𝗲𝗱 𝗵𝗲𝗮𝗱𝗲𝗿𝘀 • Authorization: Bearer <token> — auth credentials • Origin / Referer — helps with CORS and provenance • Strict-Transport-Security — enforce HTTPS • HttpOnly / Secure cookie flags — safer cookies Why care? 𝗖𝗼𝗿𝗿𝗲𝗰𝘁 𝗵𝗲𝗮𝗱𝗲𝗿𝘀 = 𝗯𝗲𝘁𝘁𝗲𝗿 𝗶𝗻𝘁𝗲𝗿𝗼𝗽𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆, 𝗳𝗲𝘄𝗲𝗿 𝗯𝘂𝗴𝘀, 𝗶𝗺𝗽𝗿𝗼𝘃𝗲𝗱 𝗽𝗲𝗿𝗳𝗼𝗿𝗺𝗮𝗻𝗰𝗲, 𝗮𝗻𝗱 𝘀𝘁𝗿𝗼𝗻𝗴𝗲𝗿 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆. #Java #BackEndProgramming #SpringBoot #APIDevelopment #Microservices