04-07-2025 10:25 AM
Secure coding practices: how to avoid common vulnerabilities
Don't trust input
Any data from outside is potentially unsafe. This includes not only forms and HTTP requests, but also files, headers, cookies, command line arguments, and even database content.
• Validate all input: by type, length, value range, and format.
• Use a whitelisting approach - allow only clearly acceptable values.
• When working with JSON, use validators: Ajv, Joi, zod, and similar.
Control the output
(XSS) XSS remains one of the most common vulnerabilities in web applications. Any output of user data in HTML must be safe.
• Escape all user data before displaying.
• Avoid using innerHTML, attributes, and inline scripts to insert data.
• Implement Content Security Policy (CSP) to restrict the execution of unauthorized code.
Errors and Logs
Verbose error messages are useful during development, but can be a source of information leaks for attackers.
• Disable verbose error messages in production.
• Exclude sensitive data from logs: passwords, tokens, access keys.
• Log enough for diagnostics, but nothing that can help an attacker.
Store secrets properly
Secrets are not only passwords, but also API keys, tokens, configuration data, and connections.
• Never store secrets in source code or .env files under version control.
• Use specialized secrets management systems: HashiCorp Vault, AWS Secrets Manager, Doppler, and others.
• Encrypt secrets both at rest and in transit.
Minimize the attack surface
The fewer open entry points, the harder it is to hack the system.
• Remove unused endpoints and dev tools before release.
• Implement access control by roles and privilege levels.
• Hide internal APIs and administrative interfaces behind authentication and network filters.
Update dependencies
Vulnerabilities often penetrate through third-party libraries, even if your own code is written securely.
• Set up automatic updating and monitoring of dependencies.
• Use tools like npm audit, pip-audit, Snyk, Renovate.
• Pay attention to transitive dependencies and the reputation of sources.
Separate authentication and authorization
Authentication answers the question of who you are, and authorization - what you are allowed to do. Both aspects are critical.
• Perform all access rights checks on the server side.
• Do not rely on client logic to restrict access.
• Use access control models: RBAC, ABAC — depending on the complexity of the project.
Avoid homemade cryptography
Cryptography is an area where “writing it yourself” almost always means creating a vulnerability.
• Use proven libraries and protocols.
• Do not generate keys or tokens manually, especially using unreliable generators (Math.random(), rand(), etc.).
• Use standardized solutions for authentication and authorization: OAuth, OpenID Connect, JWT (with proven implementations).
Security is not a brake on development, but rather the protection of your time, budget, and reputation. Typical vulnerabilities rarely arise due to malicious actions — much more often they appear due to haste, habit, or lack of basic code hygiene. Invest in security at the development stage — and this will save you many problems in the future.