ARCHIVED from builddistributedsystem.com on 2026-04-28 — URL: https://builddistributedsystem.com/tracks/securitor
Tracks/The Securitor
26

The Securitor

Advanced
Operations|10 tasks

Distributed systems have a larger attack surface. Security is not optional. Build mTLS, JWT authentication, RBAC, envelope encryption, key rotation, and audit logging from first principles.

Subtracks & Tasks

Authentication and Authorization

0/5
AU-1
intermediate

Implement JWT Authentication System

JWT (JSON Web Token) is a compact, self-contained token that proves identity without a server-side session store. The server signs the payload with a ...

JWTaccess tokenrefresh token+2 more
AU-2
advanced

Implement OAuth 2.0 Authorization Flow

OAuth 2.0 lets users grant third-party apps limited access to their account without sharing their password. The authorization code flow sends the user...

OAuth 2.0authorization code flowPKCE+3 more
AU-3
intermediate

Implement Secure Session Management

Sessions store authentication state server-side. After login, the server creates a session record keyed by a random ID and sends that ID to the client...

sessionsession IDsession fixation+2 more
AU-4
intermediate

Implement Role-Based Access Control (RBAC)

RBAC assigns permissions to roles and roles to users. A user can perform an action on a resource only if they hold a role that grants that permission....

RBACrolespermissions+2 more
AU-5
advanced

Implement API Security Best Practices

API security is a set of layers: rate limiting prevents abuse, input validation rejects malformed data before it reaches business logic, parameterised...

rate limitinginput validationSQL injection prevention+2 more

Encryption at Rest and in Transit

0/5
EN-1
advanced

Implement Symmetric Encryption

Symmetric encryption uses the same key to encrypt and decrypt. AES-256-GCM is the modern standard: it is both a cipher (confidentiality) and a MAC (in...

AES-256-GCMsymmetric encryptionIV+2 more
EN-2
advanced

Implement Asymmetric Encryption (RSA)

Asymmetric encryption uses a mathematically linked key pair: anything encrypted with the public key can only be decrypted with the private key. This s...

RSApublic keyprivate key+2 more
EN-3
intermediate

Implement Cryptographic Hash Functions

Cryptographic hash functions map any input to a fixed-size digest. SHA-256 is fast and great for integrity checks, but too fast for passwords. Bcrypt ...

SHA-256bcrypthash integrity+3 more
EN-4
advanced

Implement Secure Key Management

Managing cryptographic keys is as important as the encryption itself. A KMS (Key Management System) generates data keys, wraps them with a master key ...

KMSenvelope encryptionkey rotation+3 more
EN-5
advanced

Implement End-to-End Encryption (E2EE)

End-to-end encryption ensures only the communicating parties can read messages — not the server, not the network. The X3DH protocol establishes a shar...

E2EEX3DH key agreementdouble ratchet+2 more

Concepts Covered

JWTaccess tokenrefresh tokentoken verificationtoken expiryOAuth 2.0authorization code flowPKCEscopetoken refreshsessionsession IDsession fixationsession expirysession storageRBACrolespermissionsresource ownershipwildcard permissionsrate limitinginput validationSQL injection preventionsecurity headersOWASPAES-256-GCMsymmetric encryptionIVauthentication tagtamper detectionRSApublic keyprivate keydigital signaturekey pair generationSHA-256bcrypthash integritypassword hashingsaltwork factorKMSenvelope encryptionkey rotationdata keymaster keyescrowE2EEX3DH key agreementdouble ratchetperfect forward secrecysession keys

Prerequisites

It is recommended to complete the previous tracks before starting this one. Concepts build progressively throughout the curriculum.