Data Encoding Fundamentals
Data encoding is the process of converting data from one format to another to ensure safe transmission, storage, and processing. Understanding different encoding schemes and their appropriate use cases is crucial for secure data handling.
π Common Encoding Types
π§ Base64 Encoding
Convert binary data to text format
// JavaScript Base64 encoding/decoding
const originalString = "Hello, World! π";
// Encoding
const encoded = btoa(originalString);
console.log(encoded); // "SGVsbG8sIFdvcmxkISDwn5iB"
// Decoding
const decoded = atob(encoded);
console.log(decoded); // "Hello, World! π"
// For Unicode strings
const utf8Bytes = new TextEncoder().encode(originalString);
const base64 = btoa(String.fromCharCode(...utf8Bytes));
const decodedBytes = Uint8Array.from(atob(base64), c => c.charCodeAt(0));
const decodedString = new TextDecoder().decode(decodedBytes);Use Cases:
- Embedding binary data in text formats (JSON, XML)
- Basic obfuscation (not encryption)
- Data URIs for images
- HTTP Basic Authentication
Security Note:
Base64 is encoding, not encryption. It provides no security benefits.
π’ Hexadecimal Encoding
Convert bytes to hexadecimal representation
// Convert string to hex
function stringToHex(str) {
return Array.from(str)
.map(char => char.charCodeAt(0).toString(16).padStart(2, '0'))
.join('');
}
// Convert hex back to string
function hexToString(hex) {
const bytes = [];
for (let i = 0; i < hex.length; i += 2) {
bytes.push(parseInt(hex.substr(i, 2), 16));
}
return String.fromCharCode(...bytes);
}
// Usage
const original = "Hello";
const hex = stringToHex(original);
console.log(hex); // "48656c6c6f"
const back = hexToString(hex);
console.log(back); // "Hello"
// ArrayBuffer to hex
function arrayBufferToHex(buffer) {
return Array.from(new Uint8Array(buffer))
.map(byte => byte.toString(16).padStart(2, '0'))
.join('');
}Use Cases:
- Displaying binary data in logs
- Hash representations (MD5, SHA-256)
- Color codes in CSS/HTML
- Memory addresses and debugging
π URL Encoding
Encode data for safe URL transmission
// JavaScript URL encoding
const data = "Hello World & Special Characters!";
// encodeURIComponent (for URL components)
const encoded = encodeURIComponent(data);
console.log(encoded); // "Hello%20World%20%26%20Special%20Characters%21"
// encodeURI (for complete URLs)
const url = "https://example.com/search?q=" + encodeURIComponent("node.js & react");
console.log(url);
// Decoding
const decoded = decodeURIComponent(encoded);
console.log(decoded); // "Hello World & Special Characters!"
// Manual URL encoding
function customUrlEncode(str) {
return str.replace(/[^a-zA-Z0-9]/g, char => {
return '%' + char.charCodeAt(0).toString(16).toUpperCase();
});
}
// Handle special characters properly
function safeUrlEncode(obj) {
return Object.keys(obj).map(key => {
return encodeURIComponent(key) + '=' + encodeURIComponent(obj[key]);
}).join('&');
}Use Cases:
- Query parameters in URLs
- Form data submission
- API endpoints with special characters
- Preventing URL injection attacks
π HTML Entity Encoding
Encode HTML special characters
// HTML entity encoding
function htmlEncode(str) {
const entityMap = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'/': '/',
'`': '`',
'=': '='
};
return str.replace(/[&<>"'`=]/g, char => entityMap[char]);
}
// Usage
const userInput = '';
const safeHtml = htmlEncode(userInput);
console.log(safeHtml); // "<script>alert("XSS")</script>"
// Decoding
function htmlDecode(str) {
const entityMap = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
''': "'",
'/': '/',
'`': '`',
'=': '='
};
return str.replace(/&[a-zA-Z0-9#]+;/g, entity => entityMap[entity] || entity);
}Use Cases:
- Preventing XSS attacks
- Displaying user-generated content
- HTML attribute values
- JSON in HTML contexts
Cryptography Basics
π Cryptographic Concepts
Understanding the fundamental concepts of cryptography is essential for implementing secure data handling.
π Symmetric Encryption
Same key for encryption and decryption
const crypto = require('crypto');
// AES-256 encryption
function encrypt(text, key) {
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipher('aes-256-cbc', key);
let encrypted = cipher.update(text, 'utf8', 'hex');
encrypted += cipher.final('hex');
return {
iv: iv.toString('hex'),
encryptedData: encrypted
};
}
function decrypt(encrypted, key, iv) {
const decipher = crypto.createDecipher('aes-256-cbc', key);
decipher.setAutoPadding(false);
let decrypted = decipher.update(encrypted, 'hex', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
}
// Usage
const key = crypto.randomBytes(32); // 256-bit key
const data = "Sensitive information";
const encrypted = encrypt(data, key);
console.log("Encrypted:", encrypted);
const decrypted = decrypt(encrypted.encryptedData, key, encrypted.iv);
console.log("Decrypted:", decrypted);Algorithms:
- AES (Advanced Encryption Standard)
- DES (Data Encryption Standard)
- 3DES (Triple DES)
- ChaCha20
π Asymmetric Encryption
Public key for encryption, private key for decryption
const crypto = require('crypto');
// Generate key pair
const { publicKey, privateKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 2048,
publicKeyEncoding: {
type: 'spki',
format: 'pem'
},
privateKeyEncoding: {
type: 'pkcs8',
format: 'pem'
}
});
// Encrypt with public key
function encryptWithPublicKey(data, publicKey) {
return crypto.publicEncrypt(
{
key: publicKey,
padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
oaepHash: "sha256"
},
Buffer.from(data)
).toString('base64');
}
// Decrypt with private key
function decryptWithPrivateKey(encryptedData, privateKey) {
return crypto.privateDecrypt(
{
key: privateKey,
padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
oaepHash: "sha256"
},
Buffer.from(encryptedData, 'base64')
).toString();
}
// Usage
const message = "Secret message";
const encrypted = encryptWithPublicKey(message, publicKey);
const decrypted = decryptWithPrivateKey(encrypted, privateKey);
console.log("Original:", message);
console.log("Decrypted:", decrypted);Use Cases:
- Digital signatures
- Key exchange protocols
- SSL/TLS certificates
- Secure communication
π Hashing
One-way functions for data integrity and passwords
const crypto = require('crypto');
// Simple hashing
function hashData(data, algorithm = 'sha256') {
return crypto.createHash(algorithm).update(data).digest('hex');
}
// Password hashing with salt
function hashPassword(password) {
const salt = crypto.randomBytes(16).toString('hex');
const hash = crypto.pbkdf2Sync(password, salt, 1000, 64, 'sha512').toString('hex');
return { salt, hash };
}
function verifyPassword(password, salt, hash) {
const verifyHash = crypto.pbkdf2Sync(password, salt, 1000, 64, 'sha512').toString('hex');
return hash === verifyHash;
}
// HMAC for integrity verification
function createHMAC(data, key, algorithm = 'sha256') {
return crypto.createHmac(algorithm, key).update(data).digest('hex');
}
function verifyHMAC(data, key, hmac, algorithm = 'sha256') {
const computed = createHMAC(data, key, algorithm);
return crypto.timingSafeEqual(
Buffer.from(hmac, 'hex'),
Buffer.from(computed, 'hex')
);
}
// Usage
const data = "Important data";
const password = "userPassword123";
console.log("SHA-256:", hashData(data));
console.log("Password hash:", hashPassword(password));
// HMAC usage
const key = crypto.randomBytes(32);
const hmac = createHMAC(data, key);
console.log("HMAC valid:", verifyHMAC(data, key, hmac));Algorithms:
- SHA-256, SHA-512 (secure hashing)
- MD5, SHA-1 (deprecated for security)
- bcrypt, scrypt, PBKDF2 (password hashing)
- HMAC (integrity verification)
β¨ Cryptography Best Practices
π Key Management
- Use cryptographically secure random number generators
- Store keys securely (never in code or version control)
- Rotate keys regularly
- Use different keys for different purposes
- Implement proper key lifecycle management
π Algorithm Selection
- Use AES-256 for symmetric encryption
- Use RSA-2048 or ECC for asymmetric encryption
- Use SHA-256 or higher for hashing
- Avoid deprecated algorithms (MD5, SHA-1, DES)
- Stay updated with current security recommendations
π‘οΈ Secure Implementation
- Use established cryptographic libraries
- Implement proper error handling
- Validate all inputs before processing
- Use constant-time comparison functions
- Implement proper padding schemes
Secure Data Handling
π‘οΈ Data Protection Strategies
Implement comprehensive data protection throughout the data lifecycle.
π₯ Input Validation & Sanitization
Validate and clean all input data
// Input validation library
const validator = require('validator');
// User input validation
function validateUserInput(input) {
const errors = [];
// Email validation
if (!validator.isEmail(input.email)) {
errors.push("Invalid email format");
}
// Password strength
if (!validator.isStrongPassword(input.password, {
minLength: 8,
minLowercase: 1,
minUppercase: 1,
minNumbers: 1,
minSymbols: 1
})) {
errors.push("Password does not meet requirements");
}
// SQL injection prevention
if (/ maxSize) {
throw new Error("File too large");
}
// Check for malicious content
if (file.buffer.includes(Buffer.from(' π Data Encryption at Rest
Encrypt sensitive data in databases and storage
// Database field encryption
const sequelize = require('sequelize');
const User = sequelize.define('User', {
email: {
type: Sequelize.STRING,
allowNull: false,
set(value) {
// Encrypt email before storing
this.setDataValue('email', encrypt(value, process.env.DB_ENCRYPTION_KEY));
},
get() {
// Decrypt email when retrieving
const encrypted = this.getDataValue('email');
return decrypt(encrypted, process.env.DB_ENCRYPTION_KEY);
}
},
ssn: {
type: Sequelize.STRING,
set(value) {
// Hash SSN for privacy (one-way)
this.setDataValue('ssn', hashData(value));
}
}
});
// File encryption
const fs = require('fs');
const crypto = require('crypto');
async function encryptFile(inputPath, outputPath, key) {
const input = fs.createReadStream(inputPath);
const output = fs.createWriteStream(outputPath);
const cipher = crypto.createCipher('aes-256-cbc', key);
input.pipe(cipher).pipe(output);
return new Promise((resolve, reject) => {
output.on('finish', resolve);
output.on('error', reject);
});
}
async function decryptFile(inputPath, outputPath, key) {
const input = fs.createReadStream(inputPath);
const output = fs.createWriteStream(outputPath);
const decipher = crypto.createDecipher('aes-256-cbc', key);
input.pipe(decipher).pipe(output);
return new Promise((resolve, reject) => {
output.on('finish', resolve);
output.on('error', reject);
});
}π Data Encryption in Transit
Secure data transmission with TLS/SSL
// HTTPS configuration
const https = require('https');
const fs = require('fs');
const options = {
key: fs.readFileSync('private-key.pem'),
cert: fs.readFileSync('certificate.pem'),
ca: fs.readFileSync('ca-bundle.pem'),
// Security options
secureProtocol: 'TLSv1_2_method',
ciphers: 'ECDHE-RSA-AES128-GCM-SHA256:!RC4:!MD5:!DSS',
honorCipherOrder: true,
requestCert: false,
rejectUnauthorized: false
};
const server = https.createServer(options, (req, res) => {
res.writeHead(200);
res.end("Secure connection established");
});
// API client with certificate pinning
const axios = require('axios');
const httpsAgent = new https.Agent({
rejectUnauthorized: true,
// Certificate pinning
checkServerIdentity: (host, cert) => {
const expectedFingerprint = 'AA:BB:CC:DD:EE:FF...';
const actualFingerprint = cert.fingerprint256;
if (actualFingerprint !== expectedFingerprint) {
throw new Error('Certificate fingerprint mismatch');
}
}
});
const client = axios.create({
httpsAgent,
timeout: 5000
});π·οΈ Data Classification & Handling
Classify data based on sensitivity and apply appropriate protection measures.
π’ Public Data
Data that can be freely shared
- Marketing materials
- Public API responses
- Published blog posts
- Basic encoding (Base64 for binary data)
π‘ Internal Data
Data for internal use only
- Employee information
- Business metrics
- Internal communications
- Basic access controls
π Confidential Data
Data requiring strict protection
- Customer PII
- Financial information
- Medical records
- Encryption at rest and in transit
- Access logging and monitoring
π΄ Restricted Data
Highly sensitive data with legal requirements
- SSN, passport numbers
- Credit card information
- Legal documents
- Strong encryption (AES-256)
- Tokenization or masking
- Compliance with regulations (GDPR, HIPAA, PCI-DSS)
API Testing & Debugging
π§ͺ API Testing Strategies
Comprehensive testing ensures your API works correctly and reliably.
π§ Unit Testing
Test individual API components
const request = require('supertest');
const app = require('../app');
describe('GET /api/users', () => {
it('should return all users', async () => {
const response = await request(app)
.get('/api/users')
.expect(200)
.expect('Content-Type', /json/);
expect(Array.isArray(response.body.data)).toBe(true);
expect(response.body.data.length).toBeGreaterThan(0);
});
it('should filter users by status', async () => {
const response = await request(app)
.get('/api/users?status=active')
.expect(200);
response.body.data.forEach(user => {
expect(user.status).toBe('active');
});
});
});π Integration Testing
Test API interactions with external services
// Test with mocked external services
const nock = require('nock');
describe('Payment API Integration', () => {
it('should process payment successfully', async () => {
// Mock payment service
nock('https://api.paymentgateway.com')
.post('/charge')
.reply(200, {
transactionId: 'txn_123',
status: 'success'
});
const response = await request(app)
.post('/api/payments')
.send({
amount: 100,
cardToken: 'tok_123'
})
.expect(200);
expect(response.body.transactionId).toBe('txn_123');
expect(response.body.status).toBe('success');
});
});π End-to-End Testing
Test complete user workflows
// E2E test with real browser
const puppeteer = require('puppeteer');
describe('User Registration Flow', () => {
let browser;
let page;
beforeAll(async () => {
browser = await puppeteer.launch();
page = await browser.newPage();
});
afterAll(async () => {
await browser.close();
});
it('should register new user successfully', async () => {
await page.goto('http://localhost:3000/register');
await page.type('#name', 'John Doe');
await page.type('#email', 'john@example.com');
await page.type('#password', 'password123');
await page.click('#register-btn');
await page.waitForSelector('.success-message');
const successMessage = await page.$eval('.success-message', el => el.textContent);
expect(successMessage).toContain('Registration successful');
});
});π API Debugging Tools
Essential tools for debugging and monitoring API issues.
π¬ Postman
API testing and development tool
- Request/response inspection
- Automated testing
- Environment management
- API documentation generation
π Charles Proxy / Fiddler
HTTP debugging proxy
- Request/response interception
- Traffic analysis
- SSL certificate inspection
- Performance monitoring
π API Monitoring Tools
Monitor API performance and errors
- New Relic APM
- DataDog
- Application Insights
- Custom logging solutions
π¨ Error Handling & Monitoring
Implement robust error handling and monitoring for production APIs.
π Structured Error Responses
// Consistent error response format
class APIError extends Error {
constructor(code, message, statusCode = 500, details = null) {
super(message);
this.code = code;
this.statusCode = statusCode;
this.details = details;
this.timestamp = new Date().toISOString();
}
}
// Error handling middleware
app.use((error, req, res, next) => {
// Log error
console.error('API Error:', {
message: error.message,
stack: error.stack,
url: req.url,
method: req.method,
timestamp: new Date().toISOString()
});
// Send structured error response
const statusCode = error.statusCode || 500;
const errorResponse = {
error: {
code: error.code || 'INTERNAL_ERROR',
message: error.message,
details: error.details,
timestamp: error.timestamp || new Date().toISOString()
}
};
// Include stack trace in development
if (process.env.NODE_ENV === 'development') {
errorResponse.error.stack = error.stack;
}
res.status(statusCode).json(errorResponse);
});π Health Checks & Monitoring
// Health check endpoint
app.get('/health', async (req, res) => {
const health = {
status: 'healthy',
timestamp: new Date().toISOString(),
uptime: process.uptime(),
checks: {}
};
try {
// Database check
await db.query('SELECT 1');
health.checks.database = 'healthy';
} catch (error) {
health.checks.database = 'unhealthy';
health.status = 'unhealthy';
}
try {
// External API check
await axios.get('https://external-api.com/health');
health.checks.externalAPI = 'healthy';
} catch (error) {
health.checks.externalAPI = 'unhealthy';
health.status = 'degraded';
}
const statusCode = health.status === 'healthy' ? 200 :
health.status === 'degraded' ? 200 : 503;
res.status(statusCode).json(health);
});
// Metrics collection
const responseTime = require('response-time');
app.use(responseTime((req, res, time) => {
// Log response time
console.log(`${req.method} ${req.url} took ${time}ms`);
// Send to monitoring service
monitoring.histogram('api_response_time', time, {
method: req.method,
endpoint: req.route?.path || req.url
});
}));Panda Core Security Tools
Data Security Tools Suite
π Base64 Encoder/Decoder
Safe Base64 conversion for text and files with client-side processing for maximum security and data encoding validation.
100% Secure
Multi-Format
WebWorker
π‘οΈ Password Security Checker
Analyze password strength and security with detailed feedback and improvement suggestions for secure data handling.
Security Score
Analysis
Tips
π MD5/SHA1 Hash Generator
Generate secure MD5 and SHA1 hashes for data integrity verification and cryptographic applications in security testing.
Fast
File Support
Verify