# Backend Service Security Guides by Stack > **Intro:** Different stacks fail in different ways. The goal here is not to be exhaustive. It is to give reviewers and engineers a short list of defaults and recurring mistakes that matter most. > > **What this page includes** > > * high-value guidance for Node.js, Python, Java, Go, and .NET services > * what to check during code review > * where authorization and configuration mistakes usually hide > * stack-specific anti-patterns ## Node.js / Express / NestJS Focus on: * schema validation at boundaries; * avoiding implicit trust in request headers; * strict secret and config handling; * avoiding broad middleware that weakens auth for “internal” routes; * SSRF-prone helper endpoints, dependency trust, and event-loop abuse. Read next: [Node.js Server Security — Practical Guide and Review Map](/application-security-and-secure-sdlc/index-4/nodejs-server-security-and-review-guide.md) ## Python / Django / FastAPI Focus on: * ORM safety and serializer exposure; * admin interface hardening; * dependency pinning and worker/async task auth; * background task authorization and file handling. ## Java / Spring Boot Focus on: * method-level authorization where route-only checks are not enough; * actuator and management endpoint exposure; * secure defaults for deserialization, validation, and outbound client auth; * multiple `SecurityFilterChain` scope and fallback behavior. Read next: [Spring Boot and Spring Security — Practical Guide](/application-security-and-secure-sdlc/index-4/spring-boot-and-spring-security-practical-guide.md) ## Go services Focus on: * explicit input validation and auth middleware order; * safe HTTP client defaults and timeout behavior; * avoiding accidental privilege in internal admin endpoints. ## .NET / ASP.NET Core Focus on: * policy-based authorization design; * data-protection key handling; * secure cookie and identity configuration; * safe file and model-binding behavior. ## Review shortcut For every stack, reviewers should ask: * where is object-level authorization actually enforced? * which debug, actuator, health, or admin endpoints exist? * how are secrets and config loaded? * what background jobs or async workers bypass the usual request path? *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/application-security-and-secure-sdlc/index-4/backend-service-security-guides-by-stack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.