DEV Community

Cover image for Best practices for new web developers: How to embed more security in your development?
Lorena C Silva for Vaultree

Posted on • Updated on


Best practices for new web developers: How to embed more security in your development?

Hey Vaultrarians!

When we talk about Web development, we first think about HTML, CSS, and JavaScript, don't we?

But for you, new web developers, you need to know that in this universe there is way more to learn. Topics like: accessibility, security, crypto, and best practices for a clean code, are part of the package.

Today, I will talk about how to embed more security in your development. Some little things can take your code to another level. And it can make you stand out from other developers.

Attention with Implementation

1. JavaScript
Don't use JavaScript to implement important and essential business rules for security. The best option is to validate and replicate the information on the server (backend stage).

Remember Cross-Site Scripting (XSS), validate the application data input so it will not permit JavaScript code in your input fields.

Cross-Site Scripting (XSS): XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and occur whenever a web application uses input from a user within the output so it generates without validating or encoding it.

2. SQL Injection
What it is: an injection technique that might destroy your database via placement of malicious code in SQL statements and web page input. This is the most common web hacking technique.

Apply security mechanisms to prevent SQL injection attacks.
Use the PreparedStatement class, or frameworks to do a keyword translation so it doesn't consider part of the SQL command.

How to correct Script Injection and Cross-Site Scripting:
Block any parameter whenever the suspect has the script injected. The implementation of this block may be done with a filter equivalent to the one used to block SQL injection attacks.

Change character words to HTML entities. By the way, the variable content should always be considered text and never a tag or script part.

Use CAPTCHA on forms, mainly for authentications. You can use the app Google authenticator, for example, so the user possesses more security when logging in.

4. Forms
Forcing the user to put a minimum of characters for a password is a good practice because the possibilities needed to crack it increase exponentially with every character used.

Force the user to have numbers, letters, and special characters. This will reduce the possibility of the user having a weak password.

Never expose directly what's the input user error. Use phrases like "User or password is incorrect".

5. Classify your application using categories
Classify by Critical, Important and Vulnerable. Having this information will help you to improve development, correction, and the testing process.

6. Tests
Do tests using the low level privileges to anticipate future security errors.

7. Companies
Conduct training for Security Awareness in Web Applications. Everybody needs to know the best practices, for personal and business life.

At Vaultree we are building an encrypted future. We love sharing valuable information and trends to help you keep your data safe. Sign up to stay in the loop and discuss the hottest trends in cybersec with a team of experts.

Image description

Top comments (0)

Why You Need to Study Javascript Fundamentals

The harsh reality for JS Developers: If you don't study the fundamentals, you'll be just another β€œCoder”. Top learnings on how to get to the mid/senior level faster as a JavaScript developer by Dragos Nedelcu.