Web Security Basics: Every Developer Must Know (2026)
Security isn't just for security teams. Every developer who writes code that touches the internet needs these fundamentals.
The Threat Model
Who attacks your app?
1. Script kiddies — automated scanners looking for easy targets
2. Opportunists — exploiting known vulnerabilities in popular frameworks
3. Targeted attackers — after YOUR specific data or users
4. Insiders — employees or contractors with access
What do they want?
- User data (passwords, PII, payment info)
- Compute resources (crypto mining, botnets)
- Access to other systems (lateral movement)
- Reputation damage
- Ransom
The 80/20 rule: 20% of security practices prevent 80% of common attacks.
This guide covers that 20%.
Input Validation: Never Trust the Client
// Rule #1: All user input is hostile until proven otherwise
// Rule #2: Validate on the SERVER (client validation is UX only)
// Rule #3: Use allowlists over blocklists when possible
// ❌ Bad: Blocklist approach (easy to bypass)
function sanitize(input) {
return input.replace(/<script>/gi, ''); // What about <SCRIPT> or <img onerror=...>?
}
// ✅ Good: Structured validation with schema library
const Joi = require('joi');
const schemas = {
// Registration input
register: Joi.object({
email: Joi.string().email().lowercase().max(254).required(),
password: Joi.string()
.min(12)
.max(128)
.pattern(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[!@#$%^&*])/)
.message('Password must be 12+ chars with uppercase, lowercase, digit, and special char'),
username: Joi.string().alphanum().min(3).max(30).required(),
inviteCode: Joi.string().alphanum().length(8).optional(),
termsAccepted: Joi.boolean().valid(true).required(),
}),
// Query parameters for list endpoint
listQuery: Joi.object({
page: Joi.number().integer().min(1).default(1),
limit: Joi.number().integer().min(1).max(100).default(20),
sort: Joi.string().valid('createdAt', 'name', 'views').default('createdAt'),
order: Joi.string().valid('asc', 'desc').default('desc'),
search: Joi.string().max(200).allow('', null), // Sanitize before DB use!
category: Joi.string().alphanum().optional(),
}),
// ID parameter
resourceId: Joi.object({
id: Joi.string().uuid().required(), // UUID format prevents injection
}),
};
// Middleware to use these schemas:
function validate(schema) {
return (req, res, next) => {
const { error, value } = schemas[schema].validate(
{ ...req.body, ...req.params, ...req.query },
{ stripUnknown: true, abortEarly: false }
);
if (error) {
const details = error.details.map(d => ({
field: d.path.join('.'),
message: d.message,
}));
return res.status(422).json({ error: 'Validation failed', details });
}
// Replace request data with validated/sanitized version
Object.assign(req, value);
next();
};
}
Authentication & Session Security
// Password handling:
const bcrypt = require('bcrypt');
const SALT_ROUNDS = 12; // Increase as hardware gets faster
async function hashPassword(password) {
return bcrypt.hash(password, SALT_ROUNDS); // Auto-salt included
}
async function verifyPassword(password, hash) {
return bcrypt.compare(password, hash); // Timing-safe comparison
}
// JWT best practices:
const jwt = require('jsonwebtoken');
const tokenConfig = {
accessToken: {
expiresIn: '15m', // Short-lived! Refresh via refresh token
algorithm: 'HS256',
},
refreshToken: {
expiresIn: '7d', // Longer-lived, stored securely
algorithm: 'HS256',
},
};
function generateTokens(user) {
const payload = { sub: user.id, email: user.email, role: user.role };
const accessToken = jwt.sign(payload, process.env.JWT_SECRET, {
expiresIn: tokenConfig.accessToken.expiresIn,
issuer: 'myapp.com',
audience: 'myapp.com/api',
});
const refreshToken = jwt.sign(
{ sub: user.id, type: 'refresh' },
process.env.JWT_REFRESH_SECRET,
{ expiresIn: tokenConfig.refreshToken.expiresIn }
);
return { accessToken, refreshToken };
}
// Token validation middleware:
function authenticate(req, res, next) {
const authHeader = req.headers.authorization;
if (!authHeader?.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Missing authorization header' });
}
const token = authHeader.split(' ')[1];
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
issuer: 'myapp.com',
audience: 'myapp.com/api',
algorithms: ['HS256'], // Explicitly specify allowed algorithms!
});
req.user = decoded;
next();
} catch (err) {
if (err.name === 'TokenExpiredError') {
return res.status(401).json({ error: 'Token expired', code: 'TOKEN_EXPIRED' });
}
return res.status(401).json({ error: 'Invalid token', code: 'INVALID_TOKEN' });
}
}
// Session security (if using cookie-based sessions):
const sessionConfig = {
name: 'sessionId', // Don't use default "connect.sid"
secret: crypto.randomBytes(32).toString('hex'), // Strong random secret
cookie: {
secure: true, // Only send over HTTPS (MUST have this!)
httpOnly: true, // JavaScript can't read it (prevents XSS token theft)
sameSite: 'strict', // Prevents CSRF
maxAge: 3600000, // 1 hour
path: '/', // Only needed at root
},
rolling: true, // Reset expiry on each activity
resave: false,
saveUninitialized: false, // Don't create sessions for unauthenticated users
};
SQL Injection Prevention
// The only safe way: Parameterized queries (always!)
// ❌ NEVER string concatenation:
const query = `SELECT * FROM users WHERE id = ${userId}`;
// userId = "1 OR 1=1" → returns ALL rows!
// ✅ ALWAYS parameterized:
const result = await db.query(
'SELECT * FROM users WHERE id = $1 AND role = $2',
[userId, role]
);
// For dynamic queries (when table/column names are variable):
const allowedSortFields = ['name', 'email', 'created_at'];
const sortField = allowedSortFields.includes(req.query.sort) ? req.query.sort : 'created_at';
const sortOrder = req.query.order === 'asc' ? 'ASC' : 'DESC';
await db.query(`SELECT * FROM users ORDER BY ${sortField} ${sortOrder} LIMIT $1 OFFSET $2`, [limit, offset]);
// ORM safety (most ORMs use parameterized queries by default):
// Sequelize:
User.findAll({ where: { id: userId } }); // Safe!
// But be careful with raw queries:
sequelize.query(`SELECT * FROM users WHERE name = '${name}'`); // UNSAFE!
sequelize.query('SELECT * FROM users WHERE name = ?', { replacements: [name] }); // SAFE
XSS Prevention
// Output encoding is the primary defense:
// In Express/EJS templates:
// Use <%= %> for HTML-escaped output (default and SAFE!)
// Use <%- %> ONLY for pre-sanitized/trusted content (rarely needed)
// React/Vue/Angular: Auto-escaped by default!
// dangerouslySetInnerHTML is DANGEROUS — avoid or sanitize first:
import DOMPurify from 'dompurify';
function renderMarkdown(content) {
const html = marked.parse(content); // Convert markdown to HTML
const clean = DOMPurify.sanitize(html, { // Remove dangerous tags/attributes
ALLOWED_TAGS: ['p', 'strong', 'em', 'ul', 'ol', 'li', 'code', 'pre', 'a', 'h1', 'h2', 'h3'],
ALLOWED_ATTR: ['href', 'class'],
});
return clean;
}
// Content Security Policy (CSP): Defense in depth
// In helmet() configuration:
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"], // Remove unsafe-inline once you can
styleSrc: ["'self'", "'unsafe-inline'", 'fonts.googleapis.com'],
fontSrc: ["'self'", 'fonts.gstatic.com'],
imgSrc: ["'self'", 'data:', 'https:'], // Allow HTTPS images
connectSrc: ["'self'", 'https://api.example.com'],
frameAncestors: ["'none'"], // Prevent clickjacking
formAction: ["'self'"],
baseUri: ["'self'"],
objectEmbed: ["'none'"],
upgradeInsecureRequests: [], // Force HTTPS everywhere
},
}));
CORS Configuration
// Don't use wildcard (*) in production!
const corsOptions = {
origin: function (origin, callback) {
const allowedOrigins = [
'https://myapp.com',
'https://www.myapp.com',
'https://staging.myapp.com',
];
// Allow requests from no origin (mobile apps, Postman, etc.)
if (!origin) return callback(null, true);
if (allowedOrigins.indexOf(origin) !== -1 || origin.endsWith('.myapp.com')) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
credentials: true, // Allow cookies/auth headers
methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'],
allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'],
maxAge: 86400, // Preflight cache for 24 hours
optionsSuccessStatus: 204 // No content for preflight
};
app.use(cors(corsOptions));
Rate Limiting: Protect Against Abuse
const rateLimit = require('express-rate-limit');
// Different limits for different endpoints:
const limits = {
// General API: 100 req/min per IP
general: rateLimit({
windowMs: 60 * 1000,
max: 100,
standardHeaders: true,
legacyHeaders: false,
message: { error: 'Too many requests, please try again later' },
}),
// Auth endpoints: stricter (5 req/min per IP)
auth: rateLimit({
windowMs: 60 * 1000,
max: 5,
skipSuccessfulRequests: false, // Count successful login attempts too!
keyGenerator: (req) => req.ip,
handler: (req, res) => {
res.status(429).json({
error: 'Too many attempts. Please wait before trying again.',
retryAfter: Math.ceil(req.rateLimit.resetTime / 1000),
});
},
}),
// Uploads: very strict (10 req/hour per IP)
upload: rateLimit({
windowMs: 60 * 60 * 1000,
max: 10,
}),
};
app.use('/api/', limits.general);
app.use('/api/auth/', limits.auth);
app.use('/api/upload/', limits.upload);
What security practice took you too long to learn? What would you add to this checklist?
Follow @armorbreak for more practical developer guides.
Top comments (0)