π Common Security Mistakes Developers Make (and How to Avoid Them)
π¨ Security is not optional.
Many beginner developers fall into the same traps β unintentionally exposing their users, data, and applications to dangerous vulnerabilities.
In this post, weβll explore the most frequent security mistakes, why theyβre dangerous, and how to prevent them like a pro.
1. β Storing Passwords in Plain Text
The mistake
Saving passwords directly in the database without any encryption or hashing.
The risk
If your system gets compromised, all user credentials are exposed β instantly.
β
The fix
Always hash passwords using strong algorithms like bcrypt
or argon2
.
Avoid old or broken ones like MD5
or SHA-1
.
const bcrypt = require('bcrypt');
const hashedPassword = await bcrypt.hash(plainTextPassword, 10);
2. β Saving Tokens in localStorage
The mistake
Storing authentication tokens (like JWTs) in localStorage
.
The risk
Theyβre vulnerable to XSS (Cross-Site Scripting) attacks β any malicious script can access them.
β
The fix
Use HTTP-only cookies to store sensitive tokens. They canβt be accessed by JavaScript, reducing XSS risk.
3. β Not Validating or Sanitizing User Input
The mistake
Trusting any data that comes from the user β especially in forms, query strings, or body payloads.
The risk
Vulnerabilities like SQL injection, XSS, and mass assignment become possible.
β
The fix
Always validate inputs on both frontend and backend using libraries like Yup
, Joi
, or express-validator
.
Escape or sanitize data before inserting it into the database.
4. β Hardcoding Secrets in the Codebase
The mistake
Placing API keys, database credentials, or secrets directly in the code or uploading .env
files to GitHub.
The risk
Anyone with access to your repo (or a leak) can steal sensitive credentials.
β
The fix
Use .env
files to store secrets locally and reference them with process.env
.
Never push .env
files to version control β always add them to .gitignore
.
5. β No Rate Limiting on Login and APIs
The mistake
Leaving critical endpoints (like login forms or APIs) open without any throttling.
The risk
Attackers can brute-force passwords or flood your server with requests.
β
The fix
Apply rate-limiting middleware such as express-rate-limit
in Node.js.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100
});
app.use(limiter);
6. β Not Using HTTPS
The mistake
Serving websites or APIs over unencrypted HTTP.
The risk
Any data in transit can be intercepted, modified, or stolen.
β
The fix
Always use HTTPS in production environments.
Obtain and install SSL certificates from trusted authorities like Letβs Encrypt.
7. β Ignoring Dependency Vulnerabilities
The mistake
Using outdated packages with known security issues.
The risk
Attackers can exploit bugs in your dependencies to compromise your application.
β
The fix
Regularly scan and update your dependencies using:
npm audit
Or tools like:
8. β No Content Security Policy (CSP)
The mistake
Not setting a Content Security Policy (CSP) for your frontend.
The risk
Leaves your app vulnerable to Cross-Site Scripting (XSS) attacks.
β
The fix
Use a strong CSP header in your server configuration.
Hereβs an example using Helmet middleware in Express.js:
const helmet = require('helmet');
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "https://trusted.cdn.com"]
}
}));
π¨βπ» If you found this helpful, leave a β€οΈ or share it with a fellow developer!
Security starts from awareness. Stay safe out there.
Check these Links you learn more:-
more details
more AI prompts
Blogs
Top comments (0)