Ship secure apps.
Layer by layer.
A practical guide to web and mobile security — built around a single HTTP request.
Most security guides cover one vulnerability at a time.
That's not how attacks work.
Attacks exploit the gaps between layers — the place where your CDN assumptions end and your server begins, or where your auth check stops and your database query starts. Following a single HTTP request from browser to database is the only way to see every gap at once.
You're building your first app.
Security feels like a box to tick.
This guide is for developers shipping web and mobile apps — whether you're a solo builder moving fast or an experienced engineer who wants a systematic checklist for each layer. No security background required; no hand-waving either.
Follow the request.
Find the gaps.
Each section maps to one layer of the request lifecycle. Read in order for a complete picture, or jump straight to the layer you're working on.