FoundationsIntroduction to Authentication & Security
🌐Language NoteThis track is language-agnostic. Code examples will be shown in multiple languages. Choose the language you are most comfortable with. The security concepts are identical across all implementations.
Authentication and authorization are the cornerstones of application security. This module explains the fundamental concepts that every backend engineer must understand.
Authentication vs Authorization
These two terms are often confused but serve different purposes. Let's clarify them with a simple analogy.
Authentication = Showing your passport to prove who you are. Authorization = Showing your boarding pass to enter the plane.
Authentication (AuthN) Authorization (AuthZ)
─────────────────────────────────────────────────────────────────────
Verifies identity Verifies permissions
"Who are you?" "Are you allowed to do this?"
Login with username/password Checking user roles (admin, user)
Occurs at login time Checked on every request
Example: "You are Alice" Example: "Alice can delete her own posts"
💡Remember: You cannot authorize a user you haven't authenticated first. Authentication always comes before authorization.
The Authentication Flow
Here is what happens when a user logs into your application. Each step has security implications.
Step 1: User enters email and password
Step 2: Server hashes the password (NEVER stores plain text)
Step 3: Server compares hash with stored hash
Step 4: Server issues a credential (session cookie or JWT)
Step 5: Client stores the credential
Step 6: Client sends credential with every request
Step 7: Server validates credential
Step 8: Credential expires or is revoked on logout
⚠️Never store plain text passwords! If your database is compromised, plain text passwords give attackers direct access to user accounts.
Session-Based vs Token-Based Authentication
There are two primary approaches to maintaining authentication state. Each has trade-offs.
Session-Based (Stateful):
- Server stores session in memory/Redis
- Client only stores a session ID (cookie)
- Easy to revoke (delete session)
- Harder to scale (need shared session store)
Token-Based (Stateless):
- Server issues a signed token (JWT)
- Client stores and sends the token
- Easy to scale (no server-side storage)
- Harder to revoke (tokens valid until expiry)
💡Modern Approach: Most modern APIs use token-based authentication (JWT) because it scales better in microservices architectures.
The CIA Triad
Every security professional must understand these three core principles of information security.
Confidentiality → Only authorized parties can access data
(Encryption, access controls)
Integrity → Data is accurate and hasn't been tampered with
(Hashing, digital signatures)
Availability → Systems are accessible when needed
(DDoS protection, redundancy, backups)
Your bank account: Confidentiality (only you see balance), Integrity (transactions can't be altered), Availability (you can access it when needed).
Common Security Threats (Overview)
These threats will be explored in depth throughout this track. Here is a quick preview.
Broken Authentication → Weak passwords, credential stuffing
Injection Attacks → SQL, NoSQL, command injection
XSS (Cross-Site Scripting) → Malicious scripts injected into web pages
CSRF (Cross-Site Request Forgery) → Tricking users into unwanted actions
MITM (Man-in-the-Middle) → Intercepting client-server communication
DoS/DDoS → Overwhelming systems with requests
🎓What You Will Learn: By the end of this track, you will understand these threats and know exactly how to protect against them.