DEV Community

Cover image for Common Security Mistakes Developers Make (and How to Avoid Them)
Elsayed zewayed
Elsayed zewayed

Posted on

Common Security Mistakes Developers Make (and How to Avoid Them)

πŸ”’ Common Security Mistakes Developers Make (and How to Avoid Them)

🚨 Security is not optional.

Many beginner developers fall into the same traps β€” unintentionally exposing their users, data, and applications to dangerous vulnerabilities.

In this post, we’ll explore the most frequent security mistakes, why they’re dangerous, and how to prevent them like a pro.


1. ❌ Storing Passwords in Plain Text

The mistake

Saving passwords directly in the database without any encryption or hashing.

The risk

If your system gets compromised, all user credentials are exposed β€” instantly.

βœ… The fix

Always hash passwords using strong algorithms like bcrypt or argon2.

Avoid old or broken ones like MD5 or SHA-1.

const bcrypt = require('bcrypt');
const hashedPassword = await bcrypt.hash(plainTextPassword, 10);
Enter fullscreen mode Exit fullscreen mode

2. ❌ Saving Tokens in localStorage

The mistake

Storing authentication tokens (like JWTs) in localStorage.

The risk

They’re vulnerable to XSS (Cross-Site Scripting) attacks β€” any malicious script can access them.

βœ… The fix

Use HTTP-only cookies to store sensitive tokens. They can’t be accessed by JavaScript, reducing XSS risk.


3. ❌ Not Validating or Sanitizing User Input

The mistake

Trusting any data that comes from the user β€” especially in forms, query strings, or body payloads.

The risk

Vulnerabilities like SQL injection, XSS, and mass assignment become possible.

βœ… The fix

Always validate inputs on both frontend and backend using libraries like Yup, Joi, or express-validator.

Escape or sanitize data before inserting it into the database.


4. ❌ Hardcoding Secrets in the Codebase

The mistake

Placing API keys, database credentials, or secrets directly in the code or uploading .env files to GitHub.

The risk

Anyone with access to your repo (or a leak) can steal sensitive credentials.

βœ… The fix

Use .env files to store secrets locally and reference them with process.env.

Never push .env files to version control β€” always add them to .gitignore.


5. ❌ No Rate Limiting on Login and APIs

The mistake

Leaving critical endpoints (like login forms or APIs) open without any throttling.

The risk

Attackers can brute-force passwords or flood your server with requests.

βœ… The fix

Apply rate-limiting middleware such as express-rate-limit in Node.js.

const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100
});
app.use(limiter);
Enter fullscreen mode Exit fullscreen mode

6. ❌ Not Using HTTPS

The mistake

Serving websites or APIs over unencrypted HTTP.

The risk

Any data in transit can be intercepted, modified, or stolen.

βœ… The fix

Always use HTTPS in production environments.

Obtain and install SSL certificates from trusted authorities like Let’s Encrypt.


7. ❌ Ignoring Dependency Vulnerabilities

The mistake

Using outdated packages with known security issues.

The risk

Attackers can exploit bugs in your dependencies to compromise your application.

βœ… The fix

Regularly scan and update your dependencies using:

npm audit
Enter fullscreen mode Exit fullscreen mode

Or tools like:


8. ❌ No Content Security Policy (CSP)

The mistake

Not setting a Content Security Policy (CSP) for your frontend.

The risk

Leaves your app vulnerable to Cross-Site Scripting (XSS) attacks.

βœ… The fix

Use a strong CSP header in your server configuration.

Here’s an example using Helmet middleware in Express.js:

const helmet = require('helmet');

app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "https://trusted.cdn.com"]
  }
}));
Enter fullscreen mode Exit fullscreen mode

πŸ‘¨β€πŸ’» If you found this helpful, leave a ❀️ or share it with a fellow developer!

Security starts from awareness. Stay safe out there.

Check these Links you learn more:-
more details
more AI prompts
Blogs

Top comments (0)