Skip to main content
Secure Coding Practices in Web Development
Security is a paramount aspect of web development. Writing secure code is crucial to protect against vulnerabilities like SQL injection, XSS (Cross-Site Scripting), and CSRF (Cross-Site Request Forgery). This document outlines best practices for writing secure code along with examples.

Preventing SQL Injection 💉

Vulnerable Code Example

Secure Code Example

Protecting Against XSS Attacks 🛡️

Understanding the Risk

Cross-Site Scripting (XSS) attacks occur when malicious scripts are injected into webpages viewed by other users. This can lead to data theft, session hijacking, and other security breaches. To learn more about XSS ↗️

Vulnerable Code Example

Secure Code Example

Mitigating CSRF Attacks 🛡️

Understanding the Risk

CSRF attacks force a logged-on victim to submit a request to a web application on which they are currently authenticated. These attacks can be used to perform actions on behalf of the user without their consent. To learn more about CSRF ↗️

Vulnerable Code Example

Secure Code Example

Mitigating CSRF Attacks
know more These sections provide an understanding of XSS and CSRF risks, along with practical code examples and links for further reading, enhancing the security knowledge of developers.

Handling Vulnerable Dependencies 🐞

Using npm-audit to Identify Vulnerabilities

Run npm audit to identify and fix insecure dependencies. Regularly update your packages to the latest, non-vulnerable versions.

Incorporating Snyk for Continuous Security

Integrate Snyk into your development workflow for continuous monitoring and fixing of vulnerabilities in dependencies.

Managing Environment Variables Securely 🔐

Storing Secrets in .env Files

Store sensitive information like API keys and passwords in .env files and access them via process.env in your code. Bad Practice: Hardcoding secrets in code
Good Practice: Storing secret in .env file

Using Secure Storage for Environment Secrets

For higher security, especially in production, use services like 1Password or Phase. These services securely manage and inject secrets into your application. Example: Integrating 1Password
In this example, the 1Password CLI is used to securely fetch the API key and set it as an environment variable. This method enhances security by avoiding hardcoded secrets in your codebase or .env files. To learn more ↗️

Preventing Brute Force Attacks

Implement rate limiting and account lockout mechanisms on your backend to prevent brute force attacks.

Example: Rate Limiting with Express-rate-limit

Understanding the Risk

When users click a password reset link (e.g., https://example.com/reset-password?token=12345), the page may load external resources, potentially exposing the URL with the token. To learn more ↗️

Mitigating the Risk

Implement a Referrer-Policy on both the backend (for global settings) and the frontend (for specific pages, especially in SPA frameworks like React or Next.js). This policy controls the referrer information sent to other domains, protecting sensitive data in the URL.

Backend Implementation in Express.js

Frontend Implementation in React.js/Next.js

Use react-helmet (React) or set headers in _document.js (Next.js) to include the Referrer-Policy.

Preventing Parameter Tampering 💸

Understanding the Risk

In e-commerce applications or any other payment related application, parameter tampering can occur if user-supplied data like product prices or quantities are trusted blindly. Attackers might manipulate these values to reduce prices or change order details.

Bad Practice: Trusting Client-Supplied Prices

Good Practice: Server-Side Price Validation

In the secure approach, the server retrieves the actual price based on the product ID from a reliable source, like a database, ensuring the integrity of the transaction.

Conclusion

Writing secure code involves being mindful of user input, safeguarding database queries, and preventing unauthorized actions. Adhering to secure coding practices significantly reduces vulnerability risks. For in-depth techniques, refer to resources like the OWASP Top Ten, and regularly update your security knowledge.

References