Hapi 17 was recently released, and brings an exciting change — in an effort to drive adoption of async/await, the entire codebase replaced callbacks with the newer language feature.

This makes for some changes to how you configure your application. The intent of this post is to get you up and running as quickly as possible.


We like to shorten long words. It saves us a little time talking, or a little time typing, and in meetings we can sound like we’re a real big shot because we use the shortened form.

However, there are times when this predilection for brevity can harm us and the understanding we have, or the understanding we convey.

Let’s take a look at two concepts from the field of Application Security to demonstrate the danger:

Authentication and Authorization.

Think back to the last time someone in your organization was speaking on the issue of handling users and their access to…


Dependency management is a thankless task, and one that can easily get out of control in a modern JavaScript project. Consider the need and desire to standardize dependency versions across a large number of modules in a large organization and it’s usually not long before you’re banging your head against the wall.

Progress is awesome. It’s especially awesome when it comes to build tools, transpilers, test runners and the like — we are advancing at a great rate. …


Firstly, this was a tricky one to title. To clear up any confusion, and perhaps save you some time, this is not about helping engineers understand User Experience (UX).

This piece is about spending a little time on your developer-facing software to make it friendly to the end-user: the engineer.

Through necessity, and indeed through the research-backed successes that result, it’s no surprise that we take great care when developing software for an end-user. Often an end-user who may not be especially tech-savvy, and in most cases, not as tech-savvy as the person or persons responsible for creating the software.


I recently contributed to a repository that had a well established CHANGELOG, Migration Guide and README.

The circumstances of the contribution arose from an urgent need for a fix that was impacting multiple consumers, so I was in a rush and had a tight deadline, but I took the extra few moments to update all three documents because they existed and were so well maintained, I wasn’t going to be the one who cut corners and ruined it.

Broken Window Theory in play here, of sorts — if you maintain good, precise documentation, contributors to your repository are more likely to contribute to that documentation too.

A great experience, and one I hope repository maintainers will make the norm.


So far we’ve tackled Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF),SQL Injection (SQLi) and Spammers.

If you missed any, start with the introduction to get caught up. Lastly, we’ll look at an operational issue, Denial of Service (DoS), a variant of which is Distributed Denial of Service (DDos).

What?

An attempt to render your app/service inaccessible or unusable by overwhelming it with bogus requests/connections such that it is incapable of serving legitimate requests/connections.

The Distributed part means that instead of the attack coming from a single source (easily blocked and mitigated against), the attack comes from a huge number of sources…


So far we’ve tackled Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and SQL Injection (SQLi). If you missed any, start with the introduction to get caught up. Next, we’ll look at the threat of unsolicited mail.

What?

Those nasty people that send you emails suggesting you need online dating sites, prescription meds without the prescription, or offering you the once in a lifetime chance to become a millionaire just by allowing the use of your bank account to harbor vast fortunes of Nigerian princes who seem to be fleeing their country at an astonishing rate.

As a sidenote, Nigeria is a…


I made a request on Twitter earlier today, offering to answer questions from new or junior engineers coming in to the industry. My reasoning was that over the years I’ve had the good fortune to have had many great engineers and managers to learn from, and I want to be better at helping out those getting started with questions they have. Here’s my response to one reply:

Share your code and invite review

At various early points in my career, I had the good fortune to join teams with exceptional engineers around me. (This continues to happen to me and is very true today, I…


I made a request on Twitter earlier today, offering to answer questions from new or junior engineers coming in to the industry. My reasoning was that over the years I’ve had the good fortune to have had many great engineers and managers to learn from, and I want to be better at helping out those getting started with questions they have. Here’s my response to one reply:

#1: Stay the course

Life as an engineer can be frustrating. …


We’re roughly halfway through this series on basic security steps for Startups to take. After introducing the series, we covered Cross Site Scripting (XSS) and then Cross Site Request Forgery (CSRF).

SQLi — SQL Injection

What?

SQL injection vulnerabilities allow an attacker to modify a SQL query in your app to perform an unintended and undesired action.

Real Example

Imagine we have a search page in our app. Here, we’re allowing people to search for types of food replaced by SPAM in Insta-SPAM.

<form action="/search" method="POST">
<input type="text" name="term">
<button type="submit">Search</button>
</form>

And in our form submission controller, we have this:

$term = $_POST["term"]; $sql = "SELECT…

Dave Stevens

Software Engineer @WalmartLabs / javascript / node.js / react.js / hapi.js http://dstevens.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store