Published in


Best practices for new web developers: How to embed more security in your development?

When we talk about Web development, we first think about HTML, CSS, and JavaScript, don’t we?

But for you, new web developers, you need to know that in this universe there is way more to learn. Topics like: accessibility, security, crypto, and best practices for a clean code, are part of the package.

Today, I will talk about how to embed more security in your development. Some little things can take your code to another level. And it can make you stand out from other developers.

Attention with Implementation

1. JavaScript
Don’t use JavaScript to implement important and essential business rules for security. The best option is to validate and replicate the information on the server (backend stage).

Remember Cross-Site Scripting (XSS), validate the application data input so it will not permit JavaScript code in your input fields.

Cross-Site Scripting (XSS): XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end-user. Flaws that allow these attacks to succeed are quite widespread and occur whenever a web application uses input from a user within the output so it generates without validating or encoding it.

2. SQL Injection
What it is: an injection technique that might destroy your database via placement of malicious code in SQL statements and web page input. This is the most common web hacking technique.

Apply security mechanisms to prevent SQL injection attacks.
Use the PreparedStatement class, or frameworks to do a keyword translation so it doesn’t consider part of the SQL command.

How to correct Script Injection and Cross-Site Scripting:
Block any parameter whenever the suspect has the script injected. The implementation of this block may be done with a filter equivalent to the one used to block SQL injection attacks.

Change character words to HTML entities. By the way, the variable content should always be considered text and never a tag or script part.

Use CAPTCHA on forms, mainly for authentications. You can use the app Google authenticator, for example, so the user possesses more security when logging in.

4. Forms
Forcing the user to put a minimum of characters for a password is a good practice because the possibilities needed to crack it increase exponentially with every character used.

Force the user to have numbers, letters, and special characters. This will reduce the possibility of the user having a weak password.

Never expose directly what’s the input user error. Use phrases like “User or password is incorrect”.

5. Classify your application using categories
Classify by Critical, Important and Vulnerable. Having this information will help you to improve development, correction, and the testing process.

6. Tests
Do tests using the low level privileges to anticipate future security errors.

7. Companies
Conduct training for Security Awareness in Web Applications. Everybody needs to know the best practices, for personal and business life.

About Vaultree

Vaultree’s Encryption-in-use enables businesses of all sizes to process (search and compute) fully end-to-end encrypted data without the need to decrypt. Easy to use and integrate, Vaultree delivers peak performance without compromising security, neutralising the weak spots of traditional encryption or other Privacy Enhancing Technology (PET) based solutions. Follow Vaultree on Twitter (@Vaultree), LinkedIn, Reddit (r/Vaultree), or Visit, and sign up for a product demo and our newsletter to stay up to date on product development and company news.



Vaultree’s Encryption-in-use enables businesses of all sizes to process (search and compute) fully end-to-end encrypted data without the need to decrypt.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vaultree Tech Community

Vaultree is a revolutionary encryption startup allowing processing of fully encrypted data at run-time. Let’s create an encrypted tomorrow…together!