Subtracks & Tasks
Authentication and Authorization
Implement JWT Authentication System
JWT (JSON Web Token) is a compact, self-contained token that proves identity without a server-side session store. The server signs the payload with a ...
Implement OAuth 2.0 Authorization Flow
OAuth 2.0 lets users grant third-party apps limited access to their account without sharing their password. The authorization code flow sends the user...
Implement Secure Session Management
Sessions store authentication state server-side. After login, the server creates a session record keyed by a random ID and sends that ID to the client...
Implement Role-Based Access Control (RBAC)
RBAC assigns permissions to roles and roles to users. A user can perform an action on a resource only if they hold a role that grants that permission....
Implement API Security Best Practices
API security is a set of layers: rate limiting prevents abuse, input validation rejects malformed data before it reaches business logic, parameterised...
Encryption at Rest and in Transit
Implement Symmetric Encryption
Symmetric encryption uses the same key to encrypt and decrypt. AES-256-GCM is the modern standard: it is both a cipher (confidentiality) and a MAC (in...
Implement Asymmetric Encryption (RSA)
Asymmetric encryption uses a mathematically linked key pair: anything encrypted with the public key can only be decrypted with the private key. This s...
Implement Cryptographic Hash Functions
Cryptographic hash functions map any input to a fixed-size digest. SHA-256 is fast and great for integrity checks, but too fast for passwords. Bcrypt ...
Implement Secure Key Management
Managing cryptographic keys is as important as the encryption itself. A KMS (Key Management System) generates data keys, wraps them with a master key ...
Implement End-to-End Encryption (E2EE)
End-to-end encryption ensures only the communicating parties can read messages — not the server, not the network. The X3DH protocol establishes a shar...
Interview Prep
Common interview questions for Security / Backend Engineer roles that map directly to what you build in this track. Click any question to reveal the model answer.
Questions are representative of real interview patterns. Model answers are starting points — adapt them with your own experience and the specific context of the interview.
Common Mistakes
The top 5 mistakes builders make in this track — and exactly how to fix them. Click any mistake to see the root cause and the correct approach.
Comparison Mode
Side-by-side comparisons of the approaches, algorithms, and trade-offs you encounter in this track. Expand any comparison to see a detailed breakdown.
Concepts Covered
Prerequisites
It is recommended to complete the previous tracks before starting this one. Concepts build progressively throughout the curriculum.
Rabbit Holes
For when you want to go deeper. Curated papers, posts, and talks beyond what this track covers.
JSON Web Token Best Current Practices (RFC 8725)
RFC 8725 documents the known pitfalls in JWT implementations — algorithm confusion attacks, missing claim validation, key confusion — and the practices that prevent them. Short and essential before shipping any JWT-based auth.
OAuth 2.0 Security Best Current Practice (RFC 9700)
The IETF's current best practices for implementing OAuth 2.0 securely. Covers PKCE, state parameter usage, redirect URI validation, and token binding.
Google's Zanzibar: Google's Consistent, Global Authorization System
Google's Zanzibar paper describes the authorization system enforcing permissions for Google Drive, YouTube, and Maps. A landmark paper on building relationship-based access control at global scale.
OWASP Top 10
The OWASP Top 10 is the canonical list of the most critical web application security risks. Broken access control and cryptographic failures are consistently in the top three — directly relevant to what you implemented in this track.