Adding security and authentication

1. Adding security and authentication

Welcome back! In this video, we’ll learn about implementing secure authentication and applying crucial security checks.

2. Why security and authentication matter

When building any full-stack app, especially one that handles user data, security is paramount. Json Web Token authentication protects user accounts, while automated security checks help guard against common vulnerabilities identified by the OWASP Top-10—such as injection attacks, broken authentication, and misconfigurations. So, what exactly are OWASP and JWT?

3. OWASP Top-10

OWASP stands for the Open Web Application Security Project. It’s a community-driven organization that publishes a list called the OWASP Top-10, highlighting the most critical security risks for web applications. These include common issues like injection flaws, broken authentication, sensitive data exposure, and more. Following OWASP guidelines helps keep our app secure from the most widespread threats. Additionally, OWASP has developed a specialized Top-10 list for Large Language Model (LLM) applications that focuses on unique AI-related risks such as prompt injection, insecure output handling, and training data poisoning, helping developers secure AI-powered systems effectively.

4. Json Web Token (JWT)

JWT, or JSON Web Token, is a secure way to handle user authentication in modern web apps. Instead of storing session data on the server, JWT encodes user identity and permissions into a signed token. After logging in, the user’s client stores this token and sends it with each request. The server verifies the token to authenticate the user without needing to keep the session state.

5. The JWT authentication flow in Cascade

JWT provides a robust, stateless way to authenticate users in our app. Here’s the typical flow: a user logs in, receives a signed JWT from our backend, stores it securely in the client, and includes it in subsequent requests. The server validates the token to verify identity and permissions.

6. JWT authentication in practice

In Windsurf, we define this JWT auth as an agentic workflow in YAML, specifying how to create login endpoints, generate tokens, and protect routes with authentication middleware. Let’s go back to the news app we created in the previous video, and let’s add a JWT auth workflow. It will: - Setup Json Web Token Authentication for News App Backend - Create a login API endpoint - Implement Json Web Token validation middleware - Secure news-related API routes - Integrate Json Web Token Auth in our News App Frontend

7. Applying OWASP security checks

Windsurf continuously audits our application code against the OWASP Top-10 checklist. When it detects common vulnerabilities—like unvalidated user input, missing authentication, or exposed secrets—it flags these issues and can automatically suggest or apply patches, like adding input sanitization or strengthening auth checks.

8. OWASP in practice

To implement these security checks in the news react app we created, in the same workflow where we defined the JWT auth we can also define OWASP security checks. We open the file and add a YAML configuration that specifies two main stages: one that runs automated checks for common vulnerabilities (like injection attacks, unsafe secret storage, missing input sanitization, and brute force risks), and another that performs a final audit. The final audit stage verifies the login flow end-to-end, ensures protected routes block unauthorized access, and confirms that no OWASP security issues remain. Upon running this workflow, we implement authentication and security checks. Thanks to Windsurf’s intelligent Cascade workflows, security and authentication become integral parts of our app development.

9. Let's practice!

And now, let's practice!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.