1. Starting a new project2. Local development3. Version control4. Project management5. Remote environments6. Environment variables and secrets7. Databases and files8. Cloud services and Terraform9. full-stack-template specific details10. Production setup11. Running in production12. Creating a custom command13. Creating a custom plugin14. Creating a custom template15. Creating a zone16. Zone maintenance17. Zone monitoring18. Zone recoveryAPPENDIX A: Technology tutorialsAPPENDIX B: Software designAPPENDIX C: Modern server infrastructureAPPENDIX D: SecurityAPPENDIX E: Data protection and privacy (GDPR)

APPENDIX D: Security

TODO This is short list of ... For more, see OWASP.



  • HTTP access logs: Paths and query parameters of HTTP requests end up in access logs. They should not contain any sensitive information. Use request headers or body instead.
  • Excessive logging: You should never log all request headers or body content in production environment, or full user details, as they might contain sensitive information like security tokens or personal details.
  • SQL injection: TODO ... You should consider also javascript property names and query parameters names as user input because { "DELETE * FROM USERS": "true" } is valid json.
  • Global URL path matching bypass: Some router libraries (e.g. koa-router) do not use exact URL path matching by default. If you implement global URL path matching, there might be ways to call a route with an URL that bypasses that global logic if you are not careful. Even worse, router library path matching logic might change some way once library is upgraded to a newer version.
  • Global authorization bypass: There should be authorization in place on route or service level in addition to the global token handling (see Global URL path matching bypass).
  • CORS disable: TODO ...

Next: APPENDIX E: Data protection and privacy

1. Starting a new project
2. Local development
3. Version control
4. Project management
5. Remote environments
6. Environment variables and secrets
7. Databases and files
8. Cloud services and Terraform
9. full-stack-template specific details
10. Production setup
11. Running in production
12. Creating a custom command
13. Creating a custom plugin
14. Creating a custom template
15. Creating a zone
16. Zone maintenance
17. Zone monitoring
18. Zone recovery
APPENDIX A: Technology tutorials
APPENDIX B: Software design
APPENDIX C: Modern server infrastructure
APPENDIX D: Security
APPENDIX E: Data protection and privacy (GDPR)