DEV Community

Cover image for How to secure your web app
Doktouri
Doktouri

Posted on • Originally published at agency.doktouri.com

How to secure your web app

Security is easy to treat as someone else's problem until an incident makes it very much yours. The good news is that the vast majority of real-world breaches don't come from exotic zero-days — they come from a handful of well-understood mistakes. You don't need to be a security researcher to close them. You need a baseline, applied consistently. Here's the one every web app should have.

Get authentication and sessions right

Auth is where most serious failures start, so don't invent it. Use a battle-tested library or provider rather than hand-rolling password hashing and session logic.

  • Hash passwords with a modern algorithm like bcrypt or argon2 — never store them reversibly.
  • Manage sessions safely: short-lived tokens, secure and HttpOnly\ cookies, and proper logout that actually invalidates the session.
  • Enforce authorization on the server, every time. Hiding a button in the UI is not access control. Check permissions on the backend for every request, and default to deny.

Broken access control — a user reaching data or actions they shouldn't — is consistently among the most common and damaging web vulnerabilities.

Treat all input as hostile

Every piece of data from a client is a potential attack. Two classics still dominate:

  1. Injection. Always use parameterized queries or an ORM — never build SQL by concatenating strings. This shuts down SQL injection at the source.
  2. Cross-site scripting (XSS). Escape and sanitize any user-supplied content before rendering it. Modern frameworks help, but dangerouslySetInnerHTML\ and its equivalents will bite you.

Validate input on the server against a strict schema. Client-side validation is for user experience; it is not a security control, because anyone can bypass it.

Protect secrets and configuration

Credentials in your codebase are a breach waiting to be indexed. Keep secrets out of source control entirely — use environment variables or a secrets manager, and rotate them if they ever leak. Scan your repository history, not just the current files, since a key committed once lives in the history forever.

Ship secure headers and HTTPS

A few cheap defaults raise the floor considerably:

  • HTTPS everywhere, with HSTS so browsers refuse to downgrade.
  • Security headers — a Content-Security-Policy to blunt XSS, plus X-Content-Type-Options\ and frame protections.
  • CSRF protection for cookie-based sessions, using anti-CSRF tokens.
  • Rate limiting on auth and other sensitive endpoints to slow brute-force attempts.

Keep dependencies honest

Modern apps are mostly other people's code, and vulnerabilities in that code are yours to inherit. Run automated dependency scanning in CI, keep packages reasonably current, and be deliberate about what you add — every dependency is attack surface. A vulnerable library you forgot about is a common way in.

Make it a habit, not an event

Security isn't a checklist you complete once before launch; it's a posture you maintain. Bake these into your workflow: parameterized queries by default, secrets never committed, dependency scans in the pipeline, and authorization checks on every endpoint. Do the basics consistently and you'll be ahead of the majority of applications — and out of reach of the opportunistic attacks that cause most of the damage.

If you want a security review before you ship something that matters, talk to us.


Originally published on the Doktouri Agency blog. We build web, mobile, SaaS, and AI products — let's talk.

Top comments (0)