Node.js 20 End-of-Life: Upgrade or Migrate with HeroDevs

JWT auth is easy to mess up. Here’s a secure, production‑ready pattern I use at Devsloop. 🔐 I’ve seen tokens stored in localStorage. I’ve seen no refresh rotation. I’ve seen expired tokens crash apps. Let’s fix that. Access + refresh tokens – why both? • Access token (short‑lived, 15 min): Limits damage if stolen. • Refresh token (longer, 7 days): Gets new access tokens without re‑login. • Store refresh token in an HTTP‑only cookie (not localStorage). Guard‑based route protection: In NestJS, a simple @UseGuards(JwtAuthGuard) protects entire controllers. Add a @Public() decorator for login/register endpoints. Common mistake – storing tokens in localStorage: LocalStorage is vulnerable to XSS. Any injected script can steal your token.  Solution: Store access token in memory (RxJS BehaviorSubject) and refresh token in an HTTP‑only cookie. DM me “JWT” and I’ll send you my NestJS auth snippet. Includes guard, strategy, and cookie extraction. #NestJS #NodeJS #WebSecurity

For every developer out there using Axios in their Typescript and Javascript project! Axios package recently got compromised with a severe security breach. This breach, also compromises all users systems that has been working with Axios. NOTE! This is in relation of using the Axios package version 1.14.1 OR 0.30.4(As far as I know). If you are not on those versions, you can rest assured! I have posted a video from the youtuber Fireship that is amazingly describing this. To help out other developers and companies, share this post!! #Developers https://lnkd.in/drc4QR2K

Why are we still trusting sandboxes to be secure by default? CVE-2026-34208. SandboxJS library. CVSS 10.0. Bypass allows escape from the JavaScript sandbox. This is a fundamental design flaw, not a simple bug. If your app's security model depends on this library, you have no security model. What's your go-to strategy for vetting and securing third-party code libraries? #InfoSec #ThreatIntelligence #PatchManagement #CloudSecurity #RiskManagement 🔗 https://lnkd.in/eKNKsAQU

🚨 Axios, Security, and Why Developers Are Debating It Lately I've been seeing many posts claiming that Axios is vulnerable or “hacked.” But the reality is more nuanced. For context, Axios is a popular JavaScript library used to send HTTP requests to APIs. It powers data fetching in many modern web applications. Recent discussions focus on request manipulation and geo-based exploits. In some cases attackers can: • spoof request origin or location • bypass geo restrictions or rate limits • abuse APIs if apps trust request metadata too much The key point: the issue is usually not the library itself, but relying on client-side data (IP, headers, geo) for security decisions. A few takeaways: • libraries aren’t security boundaries • client request data can be manipulated • real validation should always happen on the backend Axios remains widely used because it's simple and reliable — but security must be designed around it, not assumed inside it. Are you still using Axios, or did you switch to native fetch? #Frontend #WebDevelopment #JavaScript #Security #SoftwareEngineering

After the recent Axios issue we faced in our project, I’ve been asking myself: Should we keep using Axios, or is it finally time to migrate to modern alternatives? Axios has been a reliable workhorse for years — great interceptors, cancel tokens, and wide compatibility. But every dependency adds risk, and the JS ecosystem has evolved. Here’s a quick, practical comparison of the strongest alternatives: Fetch API → Native in browsers and Node.js (v18+). Zero dependencies, full control, but you handle JSON, errors, and retries manually. Ky → My current favorite. Tiny (~2KB), elegant wrapper around Fetch. Built-in retries, timeouts, hooks, and a super clean API. Perfect developer experience with almost no boilerplate. Undici → The high-performance HTTP/1.1 & HTTP/2 client that actually powers Node.js native Fetch. Blazing fast on the server side. Migration isn’t always trivial (especially if you heavily rely on interceptors), but the payoff in bundle size, security, and long-term maintainability is real. Have you already made the switch in your projects? Or are you staying with Axios? Would love to hear real-world experiences and lessons learned 👇 #JavaScript #NodeJS #WebDevelopment #Frontend #Backend #Axios #Fetch #Ky #Undici

🚀 Just published a new npm package: @ubay182/sveltekit-hpke-wrapper While working on a project with SvelteKit, I needed a simple way to implement HPKE (Hybrid Public Key Encryption) for secure client–server communication. So I built a small wrapper to make it easier to use HPKE inside SvelteKit apps. ✨ Features: • Simple integration with SvelteKit • Wrapper around HPKE to simplify encryption workflows • Designed for secure data exchange between client and server If you're working with SvelteKit and need a lightweight way to implement HPKE, feel free to check it out. 📦 npm: https://lnkd.in/gpXR3yqx Feedback, issues, and contributions are welcome! #SvelteKit #JavaScript #WebSecurity #Encryption #OpenSource

𝗛𝗲𝘆 𝗱𝗲𝘃𝘀 👋 After working with 𝗪𝗲𝗯𝗦𝗼𝗰𝗸𝗲𝘁𝘀, I stepped into 𝗪𝗲𝗯𝗥𝗧𝗖 — initially it felt 𝘁𝗼𝗼 𝗰𝗼𝗺𝗽𝗹𝗲𝘅, but breaking it down step by step made it clear. 🚀 𝗖𝗼𝗿𝗲 𝗔𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲 𝗪𝗲𝗯𝗥𝗧𝗖 enables 𝗣𝟮𝗣 (𝗣𝗲𝗲𝗿-𝘁𝗼-𝗣𝗲𝗲𝗿) communication — users connect 𝗱𝗶𝗿𝗲𝗰𝘁𝗹𝘆 without a media server. But browsers don’t know each other, so I used 𝗪𝗲𝗯𝗦𝗼𝗰𝗸𝗲𝘁𝘀 for signaling. 🔑 𝗞𝗲𝘆 𝗕𝗹𝗼𝗰𝗸𝘀 𝗦𝗧𝗨𝗡 (𝗦𝗲𝘀𝘀𝗶𝗼𝗻 𝗧𝗿𝗮𝘃𝗲𝗿𝘀𝗮𝗹 𝗨𝘁𝗶𝗹𝗶𝘁𝗶𝗲𝘀 𝗳𝗼𝗿 𝗡𝗔𝗧) → Finds your 𝗽𝘂𝗯𝗹𝗶𝗰 𝗜𝗣 𝗧𝗨𝗥𝗡 (𝗧𝗿𝗮𝘃𝗲𝗿𝘀𝗮𝗹 𝗨𝘀𝗶𝗻𝗴 𝗥𝗲𝗹𝗮𝘆 𝗡𝗔𝗧) → Relay server when P2P fails 🔄 𝗦𝗶𝗴𝗻𝗮𝗹𝗶𝗻𝗴 𝗦𝗗𝗣 (𝗦𝗲𝘀𝘀𝗶𝗼𝗻 𝗗𝗲𝘀𝗰𝗿𝗶𝗽𝘁𝗶𝗼𝗻 𝗣𝗿𝗼𝘁𝗼𝗰𝗼𝗹) → Media capabilities 𝗜𝗖𝗘 (𝗜𝗻𝘁𝗲𝗿𝗮𝗰𝘁𝗶𝘃𝗲 𝗖𝗼𝗻𝗻𝗲𝗰𝘁𝗶𝘃𝗶𝘁𝘆 𝗘𝘀𝘁𝗮𝗯𝗹𝗶𝘀𝗵𝗺𝗲𝗻𝘁) → Network path info 𝗙𝗹𝗼𝘄: 𝗢𝗳𝗳𝗲𝗿 → 𝗔𝗻𝘀𝘄𝗲𝗿 → 𝗜𝗖𝗘 → Connection 𝗧𝗲𝘀𝘁𝗶𝗻𝗴 𝗖𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲 Browsers block camera/mic on non-HTTPS. Fix: allowed insecure origin in Chrome flags. 𝗖𝗼𝗻𝗻𝗲𝗰𝘁𝗶𝗼𝗻 𝗙𝗹𝗼𝘄 Users connect via 𝗪𝗲𝗯𝗦𝗼𝗰𝗸𝗲𝘁 Caller sends 𝗢𝗳𝗳𝗲𝗿 Receiver sends 𝗔𝗻𝘀𝘄𝗲𝗿 𝗜𝗖𝗘 exchange + 𝗦𝗧𝗨𝗡 → public IP 𝗣𝟮𝗣 connection established 𝗩𝗶𝗱𝗲𝗼/𝗔𝘂𝗱𝗶𝗼 streams flow directly ⚠️ 𝗟𝗶𝗺𝗶𝘁𝗮𝘁𝗶𝗼𝗻 𝗣𝟮𝗣 works best for 𝟭-𝘁𝗼-𝟭 calls 🌐 𝗦𝗰𝗮𝗹𝗶𝗻𝗴 Apps like Meet, Zoom, Discord use 𝗦𝗙𝗨 (𝗦𝗲𝗹𝗲𝗰𝘁𝗶𝘃𝗲 𝗙𝗼𝗿𝘄𝗮𝗿𝗱𝗶𝗻𝗴 𝗨𝗻𝗶𝘁) All users connect to central server → streams forwarded ✔ scalable ✔ lower bandwidth 💡 𝗟𝗲𝗮𝗿𝗻𝗶𝗻𝗴 Debugged connection issues, fixed 𝗴𝗲𝘁𝗨𝘀𝗲𝗿𝗠𝗲𝗱𝗶𝗮 errors, understood real networking. First cross-device video stream felt 🔥 Huge thanks to Revan Kale for helping me test this setup. 🙌 #WebRTC #WebSockets #FullStackDevelopment #SystemDesign #ReactJS #SpringBoot #LearningInPublic

🧵 Day 12 of 40 — React System Design Series Most auth tutorials end at "store the JWT in localStorage." That's where the real implementation begins. Today I built a complete React auth flow — the production version: → authService — one place for all auth API calls → apiClient — axios interceptors for silent token refresh (transparent to the user) → useAuth hook — login/logout with loading and error state → LoginForm that stays clean (no token logic in the component) → credentials: 'include' — the silent bug most people miss The pattern where token expiry is invisible to users 👇 https://lnkd.in/ghMPhd7s #ReactJS #SystemDesign #Auth #Frontend #LearningInPublic

I spent the last 15 years watching developers rebuild the same security holes. Different year, same mistake. Spring Security is one of those things that sounds boring until you realize how many production apps I've audited that got it wrong. New version, new syntax, same core problem: most teams don't actually understand what's happening under the hood. https://lnkd.in/g53hv9vH The SecurityFilterChain shift in Spring Boot 3 is worth your time if you're building anything that matters. Not because it's trendy. Because it forces you to think about the order of your filters, what actually runs first, and why that matters when someone's trying to get past you. I've got five apps on the App Store. None of them would still be there if I treated security like an afterthought. Read this. Don't memorize it. Understand it. The real question: how many of you are running code right now that you inherited and never actually verified was doing what you thought it was doing? #SpringBoot #Security #Development

This is a dangerous mistake that's easier to make than you'd think: ```js // NEVER do this in a Client Component const response = await fetch('https://lnkd.in/dky5ZBwD', { headers: { Authorization: `Bearer ${process.env.STRIPE_SECRET_KEY}` } }); ``` Rules to follow: → Secret API keys → Server Components, API routes, or server actions ONLY → NEXT_PUBLIC_ prefix → safe for client side, never for secrets → Never log process.env objects entirely ```js // Safe — runs only on the server // app/api/payment/route.js export async function POST(req) { const stripe = new Stripe(process.env.STRIPE_SECRET_KEY); // Safe here ... } ``` If your secret key ever ends up in the browser, rotate it immediately. Security is not something you fix after deployment. Build it right from the start. #NextJS #Security #WebDevelopment #Frontend