Hi! I'm

Federico Calò

Software Developer | Technical Writer

I create modern web applications and custom digital tools to help businesses grow through technological innovation. My passion is combining computer science and economics to generate real value.

Contact Me

About Me

My passion for computer science was born at the Technical Commercial Institute of Maglie, where I discovered the power of programming and the fascination of creating digital solutions. From the start, I understood that computer science was not just code, but an extraordinary tool for turning ideas into reality.

During my studies in Business Information Systems, I began to interweave computer science and economics, understanding how technology can be the engine of growth for any business. This vision accompanied me to the University of Bari, where I obtained my degree in Computer Science, deepening my technical skills and passion for software development.

Today I put this experience at the service of businesses, professionals and startups, creating tailor-made digital solutions that automate processes, optimize resources and open new business opportunities. Because true innovation begins when technology meets the real needs of people.

My Skills

Data Analysis & Predictive Models

I transform data into strategic insights with in-depth analysis and predictive models for informed decisions

Process Automation

I create custom tools that automate repetitive operations and free up time for value-added activities

Custom Systems

I develop tailor-made software systems, from platform integrations to customized dashboards

const federico = {
  nome: "Federico Calò",
  ruolo: "Sviluppatore Software",
  città: "Bari, Italia",
  missione: "Aiutare attraverso l'informatica",
  passioni: [
    "Codice Pulito",
    "Innovazione",
    "Crescita Continua"
  ]
};

La Mia Missione

Credo fermamente che l'informatica sia lo strumento più potente per trasformare le idee in realtà e migliorare la vita delle persone.

Democratizzare la Tecnologia

La mia missione è rendere l'informatica accessibile a tutti: dalle piccole imprese locali alle startup innovative, fino ai professionisti che vogliono digitalizzare la propria attività. Ogni realtà merita di sfruttare le potenzialità del digitale.

Unire Informatica ed Economia

Non è solo questione di scrivere codice: è capire come la tecnologia possa generare valore reale. Intrecciando competenze informatiche e visione economica, aiuto le attività a crescere, ottimizzare processi e raggiungere nuovi traguardi di efficienza e redditività.

Creare Soluzioni su Misura

Ogni attività è unica, e così devono esserlo le soluzioni. Sviluppo strumenti personalizzati che rispondono alle esigenze specifiche di ciascun cliente, automatizzando processi ripetitivi e liberando tempo per ciò che conta davvero: far crescere il business.

Trasforma la Tua Attività con la Tecnologia

Che tu gestisca un negozio, uno studio professionale o un'azienda, posso aiutarti a sfruttare le potenzialità dell'informatica per lavorare meglio, più velocemente e in modo più intelligente.

Parliamone Insieme →

Join the Community

Join the developer community where we discuss software, AI, architecture and DevOps. Share ideas, ask questions and grow with us.

Channel

FC Dev Blog

Get notifications on new articles, complete series, weekly tips and featured tools. Bilingual IT/EN content directly in your Telegram.

New articles as they are published
Weekly tips and code snippets
Polls on future topics

Subscribe to Channel

Group

FC Dev Community

A bilingual IT/EN community for developers. Discussions, Q&A, mutual help and networking with other professionals.

Discussions on articles and technologies
Coding help and code review
Job opportunities and collaboration

Join the Group

Discussion Topics

View

Master SQL

RoadMap.sh

November 2024

View

Oracle Certified Foundations Associate

Oracle

October 2024

View

People Leadership Credential

Connect

September 2024

💻 Languages & Technologies

Java

Python

JavaScript

Angular

React

TypeScript

SQL

PHP

CSS/SCSS

Node.js

Docker

Git

💼

12/2024 - Present

Custom Software Engineering Analyst

Accenture

Bari, Puglia, Italy · Hybrid Analysis and development of computer systems through the use of Java and Quarkus in Health and Public Sector. Continuous training on modern technologies for creating customized and efficient software solutions and on agents.

💼

06/2022 - 12/2024

Software analyst and Back End Developer Associate Consultant

Links Management and Technology SpA

Experience analyzing as-is software systems and ETL flows using PowerCenter. Completed Spring Boot training for developing modern and scalable backend applications. Backend developer specialized in Spring Boot, with experience in database design, analysis, development and testing of assigned tasks.

💼

02/2021 - 10/2021

Software programmer

Adesso.it (prima era WebScience srl)

Experience in AS-IS and TO-BE analysis, SEO evolutions and website evolutions to improve user performance and engagement.

🎓

2018 - 2025

Degree in Computer Science

University of Bari Aldo Moro

Bachelor's degree in Computer Science, focusing on software engineering, algorithms, and modern development practices.

📚

2013 - 2018

Diploma - Corporate Information Systems

Technical Commercial Institute of Maglie

Technical diploma specializing in Business Information Systems, combining IT knowledge with business management.

Contattami

Hai un progetto in mente? Parliamone! Compila il form qui sotto e ti risponderò al più presto.

* Campi obbligatori. I tuoi dati saranno utilizzati solo per rispondere alla tua richiesta.

Security and JWT Authentication in Play The Event

Security is not an afterthought in Play The Event. From the very first sprint, the platform was built with a security-first mindset, implementing industry best practices for authentication, authorization, and data protection. When users trust you with their event data, personal information, and financial records, that trust must be earned through rigorous security engineering.

This article covers the complete security architecture: JWT-based authentication with HttpOnly cookies, stateless session management, token rotation, role-based access control (RBAC), security headers, rate limiting, password hashing, and OWASP compliance.

What You'll Learn

JWT authentication with HttpOnly cookies (why not localStorage)
Stateless session management and its trade-offs
Token rotation and refresh token strategy
Role-Based Access Control (RBAC) implementation
Security headers and CORS configuration
Rate limiting and brute force protection
BCrypt password hashing and OWASP compliance

JWT Authentication: HttpOnly Cookies

Play The Event uses JSON Web Tokens (JWT) for authentication, but with a critical distinction from many tutorials: tokens are stored in HttpOnly cookies, not in localStorage or sessionStorage.

Why Not localStorage?

Storing JWTs in localStorage makes them accessible to any JavaScript running on the page, including injected scripts from XSS attacks. An attacker who finds a single XSS vulnerability can steal every user's token. HttpOnly cookies are invisible to JavaScript, eliminating this entire attack vector.

Authentication Flow

AUTHENTICATION FLOW

1. LOGIN REQUEST
   POST /api/auth/login
   Body: { "email": "user@example.com", "password": "..." }

2. SERVER VALIDATES CREDENTIALS
   ├── Lookup user by email
   ├── Verify password with BCrypt
   ├── Check account status (active, not locked)
   └── Check failed attempt count

3. TOKEN GENERATION
   ├── Access Token (short-lived: 15 minutes)
   │   ├── Claims: userId, email, roles
   │   ├── Signed with HS512 secret
   │   └── Set in HttpOnly cookie
   ├── Refresh Token (long-lived: 7 days)
   │   ├── Claims: userId, tokenFamily
   │   ├── Signed with separate secret
   │   ├── Stored in database (hashed)
   │   └── Set in HttpOnly cookie
   └── CSRF Token
       └── Returned in response header

4. COOKIE CONFIGURATION
   Set-Cookie: access_token=eyJ...;
     HttpOnly; Secure; SameSite=Strict;
     Path=/api; Max-Age=900

   Set-Cookie: refresh_token=eyJ...;
     HttpOnly; Secure; SameSite=Strict;
     Path=/api/auth/refresh; Max-Age=604800

Token Structure

The JWT access token carries the minimum information needed for authorization decisions. Sensitive data is never stored in the token payload.

JWT Access Token Claims

{
  "sub": "550e8400-e29b-41d4-a716-446655440000",
  "email": "organizer@example.com",
  "roles": ["ROLE_USER", "ROLE_ORGANIZER"],
  "iat": 1706000000,
  "exp": 1706000900,
  "iss": "playtheevent.com"
}

Stateless Sessions

Play The Event uses stateless session management. The server does not maintain session state between requests. Every request is self-contained, carrying all necessary authentication information in the JWT cookie.

Spring Security Configuration

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http)
            throws Exception {
        return http
            .sessionManagement(session -> session
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .csrf(csrf -> csrf
                .csrfTokenRepository(
                    CookieCsrfTokenRepository.withHttpOnlyFalse()))
            .cors(cors -> cors
                .configurationSource(corsConfigurationSource()))
            .addFilterBefore(jwtAuthFilter,
                UsernamePasswordAuthenticationFilter.class)
            .authorizeHttpRequests(auth -> auth
                .requestMatchers("/api/auth/**").permitAll()
                .requestMatchers("/api/public/**").permitAll()
                .requestMatchers("/api/admin/**")
                    .hasRole("ADMIN")
                .anyRequest().authenticated())
            .build();
    }
}

Stateless Benefits

Horizontal scaling without session replication
No server-side session storage needed
Each request is independently verifiable
Simplified load balancer configuration

Trade-offs

Token revocation requires additional mechanisms
Token size increases with claims
Clock synchronization becomes important
Refresh token rotation adds complexity

Token Rotation Strategy

To mitigate the risks of token theft, Play The Event implements a refresh token rotation strategy. Every time a refresh token is used, a new pair of access and refresh tokens is issued, and the old refresh token is invalidated.

Token Rotation Flow

TOKEN ROTATION FLOW

1. Access token expires (after 15 minutes)

2. Client sends refresh request
   POST /api/auth/refresh
   Cookie: refresh_token=eyJ...

3. Server validates refresh token
   ├── Verify signature
   ├── Check expiration
   ├── Lookup in database (is it still valid?)
   └── Verify token family

4. If valid:
   ├── Invalidate old refresh token in DB
   ├── Generate new access token (15 min)
   ├── Generate new refresh token (7 days)
   ├── Store new refresh token hash in DB
   └── Set new cookies

5. If REUSE DETECTED (token already used):
   ├── Invalidate ALL tokens in the family
   ├── Force logout on all devices
   ├── Log security event
   └── Return 401 Unauthorized

SECURITY: If an attacker steals a refresh token
and uses it AFTER the legitimate user, the reuse
detection triggers and protects the account.

Token Family Concept

A "token family" groups all refresh tokens that descend from a single login session. When reuse is detected (the same token used twice), the entire family is invalidated, forcing the user to log in again on all devices. This is a proactive defense against token theft.

Role-Based Access Control (RBAC)

Authorization in Play The Event operates on two levels: system-level roles and event-level roles. A user might be a regular user in the system but an organizer for a specific event.

Two-Level RBAC Model

RBAC MODEL

SYSTEM-LEVEL ROLES
├── ADMIN     → Full system access, user management
├── USER      → Standard user, can create events
└── GUEST     → Limited access, view public content

EVENT-LEVEL ROLES (per event)
├── OWNER      → Full event control, can delete
├── ORGANIZER  → Manage event, participants, budget
├── MODERATOR  → Check-in, participant management
├── PARTICIPANT→ View event, RSVP, expenses
└── GUEST      → View public information only

AUTHORIZATION CHECK FLOW:
1. JWT filter extracts system roles from token
2. Method-level security checks system roles
3. Event-specific endpoint checks event role
4. Both must pass for access to be granted

EXAMPLE:
  GET /api/events/{id}/participants
  ├── System role: USER (minimum)
  ├── Event role: MODERATOR+ (minimum)
  └── Result: 200 OK or 403 Forbidden

Event-Level Authorization Example

@PreAuthorize("hasRole('USER')")
@GetMapping("/events/{eventId}/participants")
public ResponseEntity<List<ParticipantDto>> getParticipants(
        @PathVariable UUID eventId,
        @AuthenticationPrincipal UserDetails user) {

    // Check event-level authorization
    eventAuthorizationService.requireRole(
        eventId,
        user.getUserId(),
        ParticipantRole.MODERATOR  // minimum role required
    );

    List<ParticipantDto> participants =
        getParticipantsQuery.execute(
            new GetParticipantsQuery(eventId));

    return ResponseEntity.ok(participants);
}

Security Headers

Play The Event configures comprehensive security headers to protect against common web vulnerabilities. These headers instruct the browser to enforce security policies on the client side.

Security Headers Configuration

SECURITY HEADERS

Content-Security-Policy:
  default-src 'self';
  script-src 'self';
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: https:;
  font-src 'self';
  connect-src 'self' https://api.playtheevent.com

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()

Rate Limiting and Brute Force Protection

To protect against brute force attacks and abuse, Play The Event implements rate limiting at multiple levels.

      Rate Limiting Rules
      
        
          Endpoint
          Limit
          Window
          Action on Exceed
        

          POST /auth/login
          5 attempts
          15 minutes
          Account lockout (30 min)
        

          POST /auth/register
          3 requests
          1 hour
          429 Too Many Requests
        

          POST /auth/reset-password
          3 requests
          1 hour
          429 Too Many Requests
        

          API (authenticated)
          100 requests
          1 minute
          429 Too Many Requests
        

          API (public)
          30 requests
          1 minute
          429 Too Many Requests
        

    

Password Security with BCrypt

User passwords are hashed using BCrypt with a cost factor of 12, which provides a strong balance between security and performance. Passwords are never stored in plain text and are never logged.

Password Handling

PASSWORD SECURITY

HASHING:
  Algorithm: BCrypt
  Cost Factor: 12 (2^12 = 4096 iterations)
  Salt: Automatically generated per password
  Output: $2a$12$... (60 characters)

VALIDATION RULES:
  ├── Minimum 8 characters
  ├── At least 1 uppercase letter
  ├── At least 1 lowercase letter
  ├── At least 1 digit
  ├── At least 1 special character
  └── Not in common password blacklist

ADDITIONAL PROTECTIONS:
  ├── Password change requires current password
  ├── Last 5 passwords cannot be reused
  ├── Password reset via time-limited token (1 hour)
  └── Failed attempts tracked per account

OWASP Compliance

Play The Event is designed with the OWASP Top 10 in mind, addressing each of the most critical web application security risks.

OWASP Top 10 Coverage

A01 Broken Access Control: RBAC at system and event levels, method-level security
A02 Cryptographic Failures: BCrypt for passwords, HS512 for JWTs, TLS everywhere
A03 Injection: Parameterized queries via JPA, input validation, output encoding
A04 Insecure Design: Threat modeling, security requirements from Sprint 1
A05 Security Misconfiguration: Security headers, CORS policy, error handling
A06 Vulnerable Components: Dependabot alerts, regular dependency updates
A07 Auth Failures: Token rotation, account lockout, multi-factor (planned)
A08 Software Integrity: Signed builds, dependency verification
A09 Logging & Monitoring: Security event logging, audit trail
A10 SSRF: URL validation, allowlisted external services

In the Next Article

With the security foundation in place, the next article explores the feature-rich event and participant management system: the event CRUD operations, the state machine in action, RSVP workflows, public sharing, check-in and checkout, budget tracking, and more. Visit www.playtheevent.com to see these security measures protecting real user data.

      Key Takeaways
      JWTs stored in HttpOnly cookies prevent XSS-based token theft
Stateless sessions enable horizontal scaling without session replication
Token rotation with family tracking detects and mitigates token theft
Two-level RBAC (system + event) provides fine-grained authorization
Rate limiting protects against brute force attacks at multiple endpoint levels
BCrypt with cost factor 12 and strict password policies secure user credentials
Security headers, CORS, and OWASP compliance form a comprehensive defense

    

Endpoint	Limit	Window	Action on Exceed
POST /auth/login	5 attempts	15 minutes	Account lockout (30 min)
POST /auth/register	3 requests	1 hour	429 Too Many Requests
POST /auth/reset-password	3 requests	1 hour	429 Too Many Requests
API (authenticated)	100 requests	1 minute	429 Too Many Requests
API (public)	30 requests	1 minute	429 Too Many Requests