Web Security: OWASP Top 10 and How to Fix Them (2026)

Security isn't a feature you add later — it's built into every layer. Here's how the top 10 vulnerabilities work and how to prevent them.

#1 Broken Access Control

// ❌ Vulnerable: User can access anyone's data
app.get('/api/users/:id', (req, res) => {
  const user = await db.users.findById(req.params.id);
  res.json(user); // No check if requester owns this data!
});

// ✅ Secure: Always verify ownership
app.get('/api/users/:id', async (req, res) => {
  // Check: Is the logged-in user requesting their OWN data?
  if (req.params.id !== req.user.id && req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Access denied' });
  }

  const user = await db.users.findById(req.params.id);
  res.json(user);
});

// ✅ Better: Use middleware for all protected routes
const requireOwnership = (resourceType) => async (req, res, next) => {
  const resource = await db[resourceType].findById(req.params.id);
  if (!resource) return res.status(404).json({ error: 'Not found' });

  if (resource.userId !== req.user.id && req.user.role !== 'admin') {
    return res.status(403).json({ error: 'Access denied' });
  }

  req.resource = resource; // Attach for route handler
  next();
};

app.get('/api/posts/:id', auth, requireOwnership('posts'), (req, res) => {
  res.json(req.resource);
});

#2 Cryptographic Failures

// ❌ Storing passwords in plain text or weak hashing
const password = "password123";
db.users.insert({ email, password }); // NEVER DO THIS!

// ✅ Proper password hashing with bcrypt
const bcrypt = require('bcrypt');
const SALT_ROUNDS = 12; // Higher = slower = more secure (12 is good balance)

async function hashPassword(password) {
  return bcrypt.hash(password, SALT_ROUNDS);
}

async function comparePassword(password, hash) {
  return bcrypt.compare(password, hash); // Handles salt automatically
}

// Usage:
const hashedPassword = await hashPassword("user_password");
// $2b$12$N9qo8uLOickG2SODUUS... (60 chars, includes salt + hash)

const isValid = await comparePassword(input, hashedPassword);

// ❌ Using MD5/SHA1 for passwords (too fast, vulnerable to rainbow tables)
const md5Hash = crypto.createHash('md5').update(password).digest('hex');
// Cracked in milliseconds with rainbow tables

// ✅ For data encryption (not passwords!):
const crypto = require('crypto');

function encrypt(text, key) {
  const iv = crypto.randomBytes(16); // Unique IV per encryption!
  const cipher = crypto.createCipheriv('aes-256-gcm', Buffer.from(key), iv);
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  const authTag = cipher.getAuthTag();
  return { encrypted, iv: iv.toString('hex'), authTag: authTag.toString('hex') };
}

function decrypt(encryptedData, key) {
  const decipher = crypto.createDecipheriv(
    'aes-256-gcm',
    Buffer.from(key),
    Buffer.from(encryptedData.iv, 'hex')
  );
  decipher.setAuthTag(Buffer.from(encryptedData.authTag, 'hex'));
  let decrypted = decipher.update(encryptedData.encrypted, 'hex', 'utf8');
  decrypted += decipher.final('utf8');
  return decrypted;
}

// ⚠️ Key management:
// - Never hardcode keys in source code!
// - Use environment variables or secrets manager (AWS KMS, HashiCorp Vault)
// - Rotate keys regularly

#3 Injection (SQL, NoSQL, Command)

// === SQL Injection ===
// ❌ String concatenation in queries
app.get('/search', (req, res) => {
  db.query(`SELECT * FROM products WHERE name LIKE '%${req.query.q}%'`);
  // Attacker sends q = "'; DROP TABLE users; --"
  // Result: SELECT * FROM products WHERE name LIKE ''; DROP TABLE users; --'
});

// ✅ Parameterized queries (always!)
app.get('/search', async (req, res) => {
  const results = await db.query(
    'SELECT * FROM products WHERE name LIKE ?',
    [`%${req.query.q}%`]  // Safely escaped by driver
  );
  res.json(results);
});

// With ORM (even safer):
const results = await Product.findAll({
  where: {
    name: { [Op.like]: `%${req.query.q}%` }
  }
});

// === NoSQL Injection ===
// ❌ Passing user input directly to MongoDB query
app.post('/login', async (req, res) => {
  const user = await db.collection('users').findOne({
    username: req.body.username,
    password: req.body.password
  });
  // Attacker sends: username: {"$gt": ""}, password: {"$gt": ""}
  // Matches ANY document!

  // ✅ Use strict equality checks
  const user = await db.collection('users').findOne({
    username: req.body.username,
    password: req.body.password
  }, {
    // Disable operators that could be exploited
    sanitizeFilter: true  // MongoDB option
  });

  // Or use a library like mongo-sanitize:
  const sanitize = require('mongo-sanitize');
  const cleanInput = sanitize(req.body);
});

// === Command Injection ===
// ❌ Running shell commands with user input
const { exec } = require('child_process');
app.get('/ping', (req, res) => {
  exec(`ping -c 4 ${req.body.ip}`, (err, stdout) => {
    res.send(stdout);
  });
  // Attacker sends ip = "127.0.0.1; rm -rf /"
  // Executes BOTH commands!
});

// ✅ Validate input strictly (allowlist approach)
const VALID_IP_REGEX = /^(\d{1,3}\.){3}\d{1,3}$/;

app.get('/ping', (req, res) => {
  if (!VALID_IP_REGEX.test(req.body.ip)) {
    return res.status(400).json({ error: 'Invalid IP address' });
  }
  exec(`ping -c 4 ${req.body.ip}`, (err, stdout) => {
    res.send(stdout);
  });
});

#4 Insecure Design

// ❌ Design flaw: Password reset token is predictable
function generateResetToken() {
  return Math.random().toString(36).substring(7); // Weak randomness!
}

// ✅ Design fix: Use cryptographically secure random tokens
const crypto = require('crypto');

function generateResetToken() {
  return crypto.randomBytes(32).toString('hex'); // 64 hex chars, unpredictable
}

// Store with expiry:
await db.passwordResets.insert({
  userId,
  token: generateResetToken(),
  expiresAt: Date.now() + 15 * 60 * 1000, // 15 minutes
  used: false
});

// ❌ Design flaw: Rate limiting on client side only
// <button onclick="submitForm()">Submit</button>
// <script>let clicks=0; function submitForm(){if(clicks<5){clicks++; ...}}</script>
// Attacker just ignores JavaScript and sends unlimited requests.

// ✅ Server-side rate limiting:
const rateLimit = require('express-rate-limit');

const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5,                    // Max 5 attempts per IP
  message: { error: 'Too many attempts. Try again in 15 minutes.' },
  standardHeaders: true,
  legacyHeaders: false,
});
app.post('/api/login', loginLimiter, handleLogin);

// ❌ Design flaw: No account lockout after failed attempts
// Brute force can try billions of combinations over time

// ✅ Account lockout mechanism:
async function handleFailedLogin(userId) {
  const attempts = await incrementLoginAttempts(userId);

  if (attempts >= 5) {
    await lockAccount(userId, 30 * 60 * 1000); // Lock for 30 minutes
    sendSecurityEmail(userId, 'Account locked due to suspicious activity');
  }
}

#5 Security Misconfiguration

// ❌ Exposing stack traces in production
app.use((err, req, res, next) => {
  res.status(500).json({ error: err.message, stack: err.stack });
  // Reveals file paths, library versions, internal structure!

  // ✅ Generic error in production, details in logs
  const isDev = process.env.NODE_ENV !== 'production';
  res.status(err.statusCode || 500).json({
    error: isDev ? err.message : 'Internal server error',
    ...(isDev && { stack: err.stack }),
    incidentId: generateIncidentId(), // For support lookup
  });
  logger.error(`[${incidentId}]`, err.stack); // Details go to logs only
});

// ❌ Missing security headers
// Without headers: Clickjacking possible, MIME sniffing, etc.

// ✅ Add security headers with Helmet:
const helmet = require('helmet');
app.use(helmet());
// Adds:
// X-Frame-Options: DENY (prevents clickjacking)
// X-Content-Type-Options: nosniff (prevents MIME sniffing)
// X-XSS-Protection: mode=block
// Referrer-Policy: strict-origin-when-cross-origin
// Content-Security-Policy (configurable)
// Strict-Transport-Security (HTTPS enforcement)

// Custom CSP configuration:
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "cdn.example.com"],
    styleSrc: ["'self'", "'unsafe-inline'"], // Needed for some CSS frameworks
    imgSrc: ["'self'", "data:", "https:"],
    fontSrc: ["'self'"],
    connectSrc: ["'self'", "api.example.com"],
    frameAncestors: ["'none'"], // Prevents clickjacking
    formAction: ["'self'"],
    upgradeInsecureRequests: [], // Force HTTPS
  },
}));

// ❌ Debug endpoints left enabled in production
if (process.env.DEBUG) {
  app.get('/debug/routes', (req, res) => res.json(app._router.stack));
  app.get('/debug/env', (req, res) => res.json(process.env));
}
// Forgets to disable DEBUG in production → leaks everything!

// ✅ Environment-based feature flags:
const debugRoutes = express.Router();
debugRoutes.get('/routes', (req, res) => res.json(app._router.stack));

if (process.env.NODE_ENV === 'development') {
  app.use('/debug', debugRoutes);
}
// Production simply doesn't mount these routes at all.

#6 Vulnerable & Outdated Components

# The problem: Dependencies have known vulnerabilities
# Attackers scan for outdated packages with public CVEs

# Check your dependencies:
npm audit              # Shows known vulnerabilities
npm audit --fix        # Auto-fixes where possible (patch/minor updates)

# Automated scanning in CI:
# .github/workflows/security.yml
name: Security Audit
on: [push, pull_request]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm ci
      - run: npm audit --audit-level=moderate
      # Fails CI if moderate+ severity vulns found

# Lockfile integrity:
npm ci               # Uses package-lock.json exactly (reproducible installs)
# vs npm install     # May update versions (unpredictable!)

# Regular dependency updates:
# Use Dependabot (GitHub native), Renovate, or Snyk
# Set up weekly PRs for dependency updates

#7 Authentication Failures

// ❌ Weak session management
app.post('/login', (req, res) => {
  const token = jwt.sign({ userId: user.id }, SECRET_KEY);
  res.json({ token }); // Never expires!
});

// ✅ Secure JWT implementation
const jwt = require('jsonwebtoken');

function generateTokens(user) {
  const accessToken = jwt.sign(
    { userId: user.id, role: user.role },
    process.env.JWT_SECRET,
    { expiresIn: '15m' } // Short-lived access token
  );

  const refreshToken = crypto.randomBytes(40).toString('hex');
  // Store refresh token in DB with expiry
  await db.refreshTokens.insert({
    token: refreshToken,
    userId: user.id,
    expiresAt: Date.now() + 7 * 24 * 60 * 60 * 1000, // 7 days
  });

  return { accessToken, refreshToken };
}

// Token refresh endpoint:
app.post('/refresh', async (req, res) => {
  const { refreshToken } = req.body;
  const stored = await db.refreshTokens.findOne({ token: refreshToken });

  if (!stored || stored.expiresAt < Date.now() || stored.revoked) {
    return res.status(401).json({ error: 'Invalid or expired refresh token' });
  }

  const user = await db.users.findById(stored.userId);
  const tokens = generateTokens(user);

  // Revoke old refresh token
  await db.refreshTokens.update(stored.id, { revoked: true });

  res.json(tokens);
});

// ❌ Allowing weak passwords
if (password.length >= 6) accept(); // Too short!

// ✅ Password strength requirements:
function validatePasswordStrength(password) {
  const issues = [];
  if (password.length < 12) issues.push('At least 12 characters');
  if (!/[a-z]/.test(password)) issues.push('One lowercase letter');
  if (!/[A-Z]/.test(password)) issues.push('One uppercase letter');
  if (!/\d/.test(password)) issues.push('One number');
  if (!/[!@#$%^&*]/.test(password)) issues.push('One special character');

  // Also check against common/breached passwords
  if (COMMON_PASSWORDS.includes(password.toLowerCase())) {
    issues.push('This password is too common');
  }

  return issues.length === 0 ? null : issues;
}

#8 Data Integrity Failures

// ❌ Trusting client-side data blindly
app.post('/api/orders', (req, res) => {
  const { total, items } = req.body;
  // Client sent total = $0.01 for $1000 worth of items!
  createOrder(total, items);
});

// ✅ Server-side validation and recalculation
app.post('/api/orders', auth, async (req, res) => {
  const { items } = req.body;

  // Validate each item exists and price is current
  const validatedItems = [];
  for (const item of items) {
    const product = await Product.findById(item.productId);
    if (!product || !product.active) {
      return res.status(400).json({ error: `Invalid product: ${item.productId}` });
    }

    // Recalculate price from DB (never trust client's price!)
    validatedItems.push({
      productId: item.productId,
      quantity: Math.min(item.quantity, product.maxOrderQuantity),
      unitPrice: product.price, // From database, not request!
      subtotal: product.price * Math.min(item.quantity, product.maxOrderQuantity)
    });
  }

  const total = validatedItems.reduce((sum, i) => sum + i.subtotal, 0);
  const order = await Order.create({ userId: req.user.id, items: validatedItems, total });

  res.status(201).json(order);
});

// ❌ Missing data integrity checks (race conditions)
// Two simultaneous requests both read balance=100, both deduct 50
// Final balance: 50 instead of 0 (should be -100 which should be rejected!)

// ✅ Database transactions with proper isolation
async function transferFunds(fromId, toId, amount) {
  const result = await db.transaction(async (trx) => {
    // Acquire row-level lock (SELECT FOR UPDATE prevents concurrent reads)
    const fromAccount = await trx('accounts')
      .where('id', fromId)
      .forUpdate()          // Row lock!
      .first();

    if (fromAccount.balance < amount) {
      throw new Error('Insufficient funds');
    }

    await trx('accounts')
      .where('id', fromId)
      .decrement('balance', amount);

    await trx('accounts')
      .where('id', toId)
      .increment('balance', amount);

    return { success: true };
  });

  return result;
}

Quick Security Checklist

Before deploying any application:

Authentication & Authorization
☐ Passwords hashed with bcrypt/scrypt/Argon2 (min 12 rounds)
☐ JWT access tokens expire in ≤15 minutes
☐ Refresh tokens stored securely, revocable
☐ Every API endpoint checks authorization
☐ Rate limiting on all auth endpoints
☐ Account lockout after failed attempts

Input Validation
☐ All inputs validated server-side (not just client-side)
☐ SQL: parameterized queries always
☐ NoSQL: operator sanitization / strict schema
☐ Shell: allowlist validation for command args
☐ File uploads: type + size limits + virus scan

Data Protection
☐ HTTPS everywhere (HSTS enabled)
☐ Sensitive data encrypted at rest
☐ PII fields identified and protected
☐ Logs don't contain sensitive data
☐ Database transactions for financial operations

Infrastructure
☐ Security headers set (Helmet/CSP)
☐ Error messages generic in production
☐ Dependencies scanned (npm audit)
☐ Debug endpoints disabled in production
☐ CORS configured correctly (not '*')

Monitoring
☐ Failed login attempt alerts
☐ Unusual traffic pattern detection
☐ Security event logging (who did what when)
☐ Incident response plan documented

---

What's the most common security issue YOU see in codebases? What tools do you use for security scanning?

Follow @armorbreak for more practical developer guides.