Web Security is not optional in web development. Breaches expose sensitive data, damage reputations, incur legal liability, and erode user trust. Understanding common vulnerabilities and defenses is essential for anyone building for web. Security must be considered throughout development, not added afterward.
Web Security Essentials
HTTPS encrypts all communication between browser and server. Without HTTPS, anyone on network can intercept data—passwords, credit cards, personal information. SSL/TLS certificates enable encryption. Let’s Encrypt provides free certificates. HTTPS is baseline requirement, not optional extra.
Cross-Site Scripting (XSS) occurs when attackers inject malicious scripts into trusted websites. Reflected XSS: malicious script in URL executed immediately. Stored XSS: script saved to database, executed when page viewed. DOM-based XSS: vulnerability entirely client-side. XSS can steal cookies, redirect users, deface sites.
Preventing XSS requires context-aware escaping. HTML encode user content displayed in HTML. JavaScript encode content inserted into scripts. URL encode content in links. Content Security Policy (CSP) provides defense-in-depth, restricting which scripts can execute. Modern frameworks auto-escape by default.
Cross-Site Request Forgery (CSRF) tricks authenticated users into unintended actions. Attacker creates malicious site with form submitting to vulnerable site. If user authenticated, browser sends cookies, request appears legitimate. CSRF tokens (random values validated with each request) prevent.
SQL Injection occurs when untrusted data included in SQL queries. Attacker enters ' OR '1'='1 in login form, potentially bypassing authentication entirely. Worse: '; DROP TABLE users; -- could destroy database. Parameterized queries (prepared statements) separate SQL from data, preventing injection.
Authentication vulnerabilities abound. Weak password policies allow guessing. No rate limiting enables brute force. Session fixation lets attackers hijack sessions. Insufficient session expiration leaves sessions valid indefinitely. Secure authentication requires password hashing (bcrypt, Argon2), MFA options, proper session management.
Authorization flaws let users access unauthorized resources. Insecure Direct Object References (IDOR) occur when application exposes internal IDs. User changes URL from /invoice/123 to /invoice/124, accessing another’s invoice. Server must verify authorization for every request, not rely on hidden URLs.
Security headers provide browser protections. Content-Security-Policy restricts resource loading. X-Frame-Options prevents clickjacking by controlling iframe embedding. X-Content-Type-Options prevents MIME sniffing. Strict-Transport-Security enforces HTTPS. Referrer-Policy controls referrer information. These headers add significant protection.
Cross-Origin Resource Sharing (CORS) controls which origins can access resources. Browsers enforce same-origin policy by default. CORS headers (Access-Control-Allow-Origin) relax restrictions intentionally. Misconfigured CORS can expose APIs to unauthorized sites. Understand before configuring.
Dependency vulnerabilities increasingly common. Modern applications use thousands of packages. Any package vulnerability becomes application vulnerability. Regular updates, vulnerability scanning (npm audit, Snyk, Dependabot), and minimal dependencies reduce risk. Supply chain security growing concern.
Server configuration matters. Default credentials must change. Unnecessary services disabled. File permissions restrict access. Directory listing disabled. Error messages don’t leak information. Regular security updates applied. Infrastructure as Code helps maintain consistent secure configurations.
Data protection includes encryption at rest and in transit. Sensitive data (passwords, PII, payment information) requires additional protection. Encryption keys managed securely. Database encryption, application-level encryption protect against different threats. Data minimization—collect only what needed—reduces breach impact.
Security headers provide browser protections. Content-Security-Policy restricts resource loading. X-Frame-Options prevents clickjacking. X-Content-Type-Options prevents MIME sniffing. Strict-Transport-Security enforces HTTPS. These headers add significant protection with minimal effort.
Security testing throughout development. Static analysis scans source code for vulnerabilities. Dynamic analysis tests running applications. Penetration testing simulates attacks. Dependency scanning identifies vulnerable libraries. Automated tools catch common issues; manual review finds complex flaws.
Incident response plans prepare for breaches. Detect, contain, eradicate, recover, learn. Who contacts users? Who notifies regulators? Who communicates publicly? Planning before incident reduces chaos during. Every organization handling user data needs plan.
Security mindset means thinking like attacker. Question assumptions. Validate inputs at boundaries. Apply least privilege. Defense in depth—multiple layers so single failure not catastrophic. Security is ongoing practice, not checkbox.