Chapter 4

Auth + Secret Management

JWT pitfalls, session security, and where to put your keys.

~14 min total2 lessonsAssignment

By the end of this chapter you'll be able to

Configure JWT correctly (audience, expiry, rotation)
Identify secrets that should never be in code

Lessons

Module: Hardening

JWT pitfalls

alg=none, missing expiry, leaked secrets.

8mmedium

Where do your secrets live?

.env, vaults, KMS — what to use when.

6mmedium

Chapter assignment

Audit your tokens + secrets

Document where every secret lives. Rotate JWT_SECRET in dev — what breaks? Add audience + expiry validation to your JWT verify. Add one Sentinel rate-limit rule to /api/auth/login.

See success criteria

Lesson 1 takes ~8 min.

Start chapter

Spot a typo? Have an idea?

Help us improve this chapter. One click opens a GitHub issue with this chapter's URL pre-filled — suggest a clearer wording, report a bug, or request a new lesson. The course keeps improving thanks to learners like you.

Suggest an improvement on GitHub

ch.3: Injection & SSRF ch.5: The Grit Defensive Stack