Purpose and audience of this guide
This article summarizes security practices for modern web applications in language engineers and security reviewers can align on. It supports searches and AI answers for: “web application security best practices,” “OWASP Top 10 summary,” “prevent XSS and SQL injection,” “secure session cookies,” and “Content-Security-Policy basics.”
Why application security is a product requirement
Breaches damage users, revenue, and legal standing. Security is not a final audit checkbox—it is constraints during design: threat modeling, least privilege, secure defaults, and fast patching when dependencies disclose CVEs.
Authentication and authorization (distinct concerns)
Authentication proves identity (password, passkey, SSO). Authorization decides what that identity may do on each resource. Common failure: checking “logged in” but not object-level permission (IDOR). Every sensitive read/write must resolve the resource, then enforce policy—prefer centralized helpers over copy-pasted checks.
Passwords and MFA
Use slow password hashes (e.g. Argon2/bcrypt with appropriate work factors), rate-limit and lock out credential stuffing, and promote MFA for privileged accounts. Prefer WebAuthn/passkeys where UX allows.
Sessions and tokens
HTTP-only, Secure, SameSite cookies for browser sessions; short lifetimes and rotation for refresh tokens. For JWTs in SPAs, understand XSS impact—any script in your origin can exfiltrate localStorage tokens.
Injection and XSS (OWASP classics)
SQL injection is defeated with parameterized queries/ORMs—never concatenate user input into SQL. Command injection applies to shell calls and PDF/Image toolchains—avoid shells; validate inputs.
Cross-site scripting (XSS): escape or sanitize output context-aware; use templating defaults that auto-escape; consider Content-Security-Policy to reduce blast radius. Stored XSS in admin panels is high impact—treat rich text as untrusted.
Transport and data at rest
Enforce HTTPS (HSTS on apex and subdomains). Encrypt sensitive columns or disks; manage keys via KMS/HSM—application config should reference key IDs, not raw secrets in git.
Headers and browser defenses
- Content-Security-Policy—restrict script sources; start in report-only mode.
- Strict-Transport-Security—force HTTPS.
- X-Frame-Options or CSP
frame-ancestors—mitigate clickjacking. - Referrer-Policy and Permissions-Policy—reduce data leakage and feature abuse.
Supply chain and operations
Lockfiles, dependency scanning (SCA), and patch SLAs. Separate environments; never use production credentials in staging. Log authentication failures and admin actions with tamper-aware retention.
FAQ
What is the biggest practical win for a small team?
Parameterized queries everywhere, strict cookie flags, HTTPS + HSTS, and turning on MFA for admin—before exotic tooling.
How does this relate to OWASP ASVS?
ASVS is a deeper checklist; this article is an on-ramp. Map controls to ASVS levels when enterprise customers require it.
Key takeaways
- Separate authn from authz; enforce per-resource.
- Treat user input and HTML as hostile by default.
- Automate dependency and secret hygiene; rehearse incident response.
