Web Application Security Practices Every Developer Must Know

How to secure your web application from cyber attacks

Manusha Chethiyawardhana
Jun 12 · 4 min read
Image for post
Image for post
Photo by sebastiaan stam on Unsplash

Nowadays, web applications are certainly a critical aspect of business and everyday life. As a result of this increased popularity, the security of these web applications is of great concern. However, while developing, developers often ignore or fail to take due account of the security risks of the web app. The “2020 SonicWall Cyber Threat Report” revealed that there was a 52 percent increase in cyber attacks on web applications in 2019. The report stated that by the end of the year, the number of web app attacks had reached more than 40 million.

So, developers should always try to make their app as secure as possible. In this article, I will discuss the major vulnerabilities that could be found in web apps and the best practices to avoid them.


The OWASP Top Ten

Developers are not security experts, which is why compilations such as the Open Web Application Security Project (OWASP) Top Ten list are here to help them. Every few years, OWASP publishes detailed analysis, guidance, and warnings on a wide range of networking, cloud, and security issues. Below is a chart of the most common OWASP Top Ten vulnerabilities that occurred in 2019.

Image for post
Image for post
Screenshot of Web Applications vulnerabilities and threats: statistics for 2019 by Author

From the chart, you can see that the most commonly encountered Web app vulnerabilities in 2019 were due to Security Misconfigurations. Cross-Site Scripting (XSS) and Broken Authentication are also very common vulnerabilities. Let’s see what actions developers should take to avoid and minimize these vulnerabilities.


Use SSL (HTTPS) Encryption

Secure Sockets Layer (SSL) is a technology used to establish an encrypted link between a web server and a web browser. This ensures that the information transmitted between the browser and the webserver remains private. You must always use SSL encryption when transferring sensitive information such as credit card information and personal data, as well as when using user authentication.

Securing Cookies

One out of every five tested applications contained vulnerabilities allowing the hackers to attack a user session, such as sensitive cookies without the HttpOnly and Secure flags.

Most web-apps use cookies to store different types of user-session information. However, developers often forget to set secure and HttpOnly flags on these cookies. These flags are not true by default, so they must be explicitly set to true. The cookie will only be sent via HTTPS when a secure flag is used. Therefore, hackers will not be able to read the cookie data. JavaScript will not be able to read the cookie when using the HttpOnly flag. So it’s going to prevent XSS attacks.

Encode and Escape Untrusted Data

Untrusted data could be anything that the user inputs or controls the value of. Encoding and escaping are defensive techniques designed to stop injection attacks. Encoding, also known as Output Encoding, is done by translating special characters into a different form that would not be dangerous to our application. For example, when writing to an HTML page, translate the < character into the &lt; string. Most of the web frameworks have an HTML escape method for some characters.

Contextual output encoding is a key security programming technique needed to stop XSS. Attackers use XSS to inject client-side scripts into user-viewed web pages. The different types of encoding used to build secure user interfaces in web apps include HTML Element Encoding, HTML Attribute Encoding, JavaScript Encoding, CSS Encoding, and URL Encoding. You can learn how to use them from the OWASP XSS Prevention Cheat Sheet.

Input Validation

Developers must always validate user inputs so that only properly-formed data can pass through the web app workflow. You should always validate inputs on both the client and server sides, as the client-side validation can be easily bypassed by attackers. When validating, check whether the data is in the form expected and also within the acceptable range. Although input validation helps prevent some attacks, it does not always ensure that data is secure, as some inputs, such as an email address, may contain a SQL injection attack or a valid URL that may contain an XSS attack. That’s why we need to use methods such as encoding and escaping.

Use Secure Authentication Methods

Broken Authentication is ranked 2nd in the OWASP Top Ten. So, as developers, we need to take strong steps to prevent this. Many developers would agree that single-factor authentication is long dead. So always use multi-factor authentication when developing your web app. Always limit the number of authentication attempts the user gets. Otherwise, an attacker will be able to brute-force the credential and access the web application.


Finally, I suggest using tools like OWASP Dependency-Check and Retire. JS to identify project dependencies and check for any known, publicly disclosed vulnerabilities in any third-party code libraries. That’s all for this article. I hope that this will help you make your web app more secure.

Thank you for reading and happy coding!


JavaScript In Plain English

New JavaScript + Web Development articles every day.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store