A concise, actionable checklist of web application security best practices to help developers build and maintain secure web apps, covering input handling, authentication, data protection, and infrastructure hardening.
1. Validate and sanitize all user input server-side
Never trust client-supplied data; enforce strict type, length, format, and range checks on the server to prevent injection attacks such as SQL injection and XSS.
2. Use parameterized queries or prepared statements for all database interactions
Parameterized queries separate code from data, making it impossible for attacker-controlled input to alter query logic and preventing SQL injection entirely.
3. Implement Content Security Policy (CSP) headers
Set a strict CSP header to whitelist trusted sources for scripts, styles, and media, drastically reducing the impact of XSS attacks by blocking unauthorized script execution.
4. Enforce HTTPS everywhere with HSTS
Redirect all HTTP traffic to HTTPS and deploy an HTTP Strict-Transport-Security header with a long max-age (≥1 year) and includeSubDomains to prevent protocol downgrade and man-in-the-middle attacks.
5. Store passwords using a strong adaptive hashing algorithm
Use bcrypt, Argon2id, or scrypt with an appropriate work factor; never store plaintext or weakly hashed (MD5/SHA-1) passwords, and always use a unique salt per user.
6. Implement multi-factor authentication (MFA) for sensitive accounts
Require a second factor (TOTP app, hardware key, or push notification) for admin panels and high-privilege users to limit the blast radius of stolen credentials.
7. Set secure, HttpOnly, and SameSite attributes on all cookies
The Secure flag prevents cookie transmission over HTTP; HttpOnly blocks JavaScript access to reduce XSS token theft; SameSite=Strict or Lax mitigates CSRF attacks.
8. Implement and enforce CSRF tokens on all state-changing requests
Generate a cryptographically random, per-session (or per-request) CSRF token and validate it server-side on every POST, PUT, PATCH, and DELETE endpoint to prevent cross-site request forgery.
9. Apply the principle of least privilege to users and service accounts
Grant each user, role, and API key only the minimum permissions required for their function; revoke unused privileges and audit access rights regularly.
10. Keep all dependencies and frameworks up to date
Use a dependency auditing tool (e.g., npm audit, OWASP Dependency-Check, Snyk) in your CI pipeline to detect and patch known CVEs in third-party libraries before deployment.
11. Log security-relevant events and monitor for anomalies
Record authentication attempts, authorization failures, input validation errors, and privilege changes with tamper-evident timestamps; feed logs into a SIEM or alerting system to detect attacks in real time.
12. Rate-limit and throttle authentication and sensitive API endpoints
Apply IP- and account-level rate limits to login, password-reset, and OTP endpoints to slow brute-force and credential-stuffing attacks; return 429 responses and lock accounts after repeated failures.
13. Perform regular security testing including SAST, DAST, and penetration testing
Integrate static analysis (e.g., Semgrep, Checkmarx) and dynamic scanning (e.g., OWASP ZAP, Burp Suite) into CI/CD, and schedule annual third-party penetration tests to surface vulnerabilities before attackers do.
14. Harden HTTP response headers
Add headers such as X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and Referrer-Policy: no-referrer to eliminate common browser-level attack vectors like MIME sniffing and clickjacking.