Security Best Practices
Apply these security principles when developing backend services, microservices, and any code handling sensitive data or external inputs.
Input Validation and Sanitization
- •Apply input validation and sanitization rigorously, especially on inputs from external sources
- •Validate all user inputs at the boundary of your application
- •Use allowlists over denylists when validating input
- •Sanitize data before storing or displaying to prevent injection attacks
- •Implement strict type checking and schema validation
Authentication and Authorization
- •Use secure defaults for JWT, cookies, and configuration settings
- •Implement proper token expiration and refresh mechanisms
- •Store secrets securely using environment variables or secret management services
- •Never hardcode credentials or API keys in source code
- •Use secure password hashing algorithms (bcrypt, Argon2)
Permission Boundaries
- •Isolate sensitive operations with clear permission boundaries
- •Apply the principle of least privilege throughout the system
- •Implement role-based access control (RBAC) where appropriate
- •Audit and log access to sensitive resources
- •Use separate service accounts for different components
Resilience and Protection
- •Implement retries, exponential backoff, and timeouts on all external calls
- •Deploy circuit breakers and rate limiting for service protection
- •Consider distributed rate-limiting to prevent abuse across services (e.g., using Redis)
- •Implement request throttling to prevent denial of service
- •Use connection pooling with appropriate limits
Secure Configuration
- •Use HTTPS/TLS for all network communications
- •Configure secure HTTP headers (HSTS, CSP, X-Frame-Options)
- •Disable verbose error messages in production
- •Keep dependencies updated and scan for vulnerabilities
- •Use secure defaults and fail securely
Error Handling
- •Implement comprehensive error handling throughout the application
- •Never expose stack traces or internal details to end users
- •Log security-relevant events with appropriate detail
- •Propagate context appropriately for debugging while maintaining security
- •Handle authentication and authorization failures gracefully
Secrets Management
- •Use environment variables or dedicated secrets managers
- •Rotate credentials and keys regularly
- •Implement proper key management practices
- •Avoid logging sensitive information
- •Use encryption at rest for sensitive data storage
SQL Injection Prevention
- •Use parameterized queries or prepared statements
- •Never concatenate user input into SQL queries
- •Use ORM features that automatically escape values
- •Validate and sanitize all database inputs
- •Limit database user permissions
Cross-Site Scripting (XSS) Prevention
- •Escape all output rendered in HTML
- •Use Content Security Policy headers
- •Sanitize user-generated content before display
- •Use framework-provided escaping functions
- •Avoid innerHTML and similar dangerous APIs
Cross-Site Request Forgery (CSRF) Prevention
- •Implement CSRF tokens for state-changing operations
- •Verify origin and referer headers
- •Use SameSite cookie attribute
- •Require re-authentication for sensitive actions
- •Implement proper session management
API Security
- •Implement API authentication (JWT, API keys, OAuth)
- •Use rate limiting to prevent abuse
- •Validate request content types
- •Implement request size limits
- •Log API access for auditing
Dependency Security
- •Regularly audit dependencies for vulnerabilities
- •Use lockfiles to ensure consistent versions
- •Remove unused dependencies
- •Monitor security advisories for your stack
- •Implement automated vulnerability scanning in CI/CD