Stay up to date with practical insights on backend engineering, system design, and building reliable software.
URL-level authorization is coarse-grained — it protects paths, not resources. Method-level authorization with @PreAuthorize enables fine-grained access control that considers the current user, the method arguments, and the resource being accessed.
Read moreSQL injection and XSS get attention. SSRF, path traversal, ReDoS, XXE, and deserialization vulnerabilities are less discussed but appear regularly in penetration tests and bug bounty reports. Here is how each manifests in Spring Boot and how to prevent it.
Read moreJava strings have three distinct storage mechanisms — literal pool, heap allocation, and explicit interning — with different memory and identity implications for each. Understanding which one applies when prevents a category of subtle bugs and memory problems.
Read moreRequest specs in Rails test the full stack efficiently, but most teams either over-test at the wrong layer or under-test the cases that matter. Here is the structure that finds real bugs without slowing the suite down.
Read moreService objects are easy to test well and easy to test badly. The difference is in how you handle dependencies, what you assert on, and where you draw the boundary between unit and integration.
Read more