Home Web Application Security 15 Security Tips for Web Developers to Secure their Application

15 Security Tips for Web Developers to Secure their Application


15 Security Tips for Web Developers, A new dynamic revenue generating website is popping on the internet every 1 min. Do you know how many lines of code written in a day? Over 500 million lines of code! Yes, True. Millions of lines of web application code are written every day across the globe.

How securely is your team coding then? This is the most important thing. Does your team know the best simple practices to follow to make your web app secured? Here is a checklist that can help your team build robust and secure applications.

1) Sanitize the inputs at the client side as well at the server side. You should not allow special characters, null characters, and funny scripts. This step should prevent the attackers from XSS and various Injections like SQL etc.

  • You can’t just sanitize client side and think that you are secured. Anyone could always turn off JavaScript or change the values and submit them to your server.
  • Use Strict Contextual Escaping (SCE), Most Javascript these days help you with this escaping. This helps in avoiding major XSS and SQL attacks

2) Always Encode the request/responses.Especially, the response that is sent from the server to the client should be encoded, so that the browser does not execute it if it’s a payload. This will prevent XSS and other scripting based attacks.

3) Always use HTTPS for all domain entries. The domain entry at the URL should be considered and redirected properly i.e., the user might try in any of the following fashions:
Entering the URL in any of the above-mentioned ways should be redirected to the https://www.example.com

  • http://www.example.com
  • example.com
  • http://example.com

4) Do not use obsolete encryption and hashing algorithms like MD4, MD5, SHA1, DES.

5) Configure the web server to disallow directory listing.

6) Do not store sensitive data like usernames and passwords inside cookies. Never use default names for sessions like PHPSESSID, ASP.NET_SessionId etc but instead use custom names.

7) Check the randomness of the session and make sure the session gets expired after log out and on idle usage. The expired sessions should no longer be useful for the future client to server transactions.

8) Always set secure and HttpOnly flags in cookies.

9) Use TLS. Do not use SSL. Simply disable SSL in the server and always use TLS 1.2 for certificates.

10) Always set a strong password policy and also implement security measures like captcha to mitigate from brute force attacks. The randomness with which you generate default password and user related content should be absolutely random.

11) Form’s hidden fields should not contain sensitive information. Make sure no sensitive information is collected through hidden fields.

12) File upload functionality should be properly verified, not only at the client side but also at the server side because the client side verification alone is not sufficient. The attacker can intercept the traffic and change the file type or content. Verify the file extensions and file size properly. Do not accept any password protected zips/pdfs. Put a captcha in every file upload page.

13) Use the following response headers on every response:

  • strict-transport-security: max-age=7776000
  • x-content-type-options: nosniff
  • x-frame-options: SAMEORIGIN
  • x-xss-protection: 1; mode=block

14) Make sure that any third-party libraries or plugins that are used inside the application are free from any noted vulnerabilities. For information on existing CVE’s visit https://cve.mitre.org/.

15) Displaying web server information in response headers is not recommended.


  1. I decided to leave a message here on your 15 Security Tips for Web Developers to Secure their Application – Securify page instead of calling you. Do you need more likes for your Facebook Fan Page? The more people that LIKE your website and fanpage on Facebook, the more credibility you will have with new visitors. It works the same for Twitter, Instagram and Youtube. When people visit your page and see that you have a lot of followers, they now want to follow you too. They too want to know what all the hype is and why all those people are following you. Get some free likes, followers, and views just for trying this service I found: http://nt4.pl/u/72

Comments are closed.