This article, written last year, is an evergreen primer on a bunch of different issues in web security . https://martinfowler.com/articles/web-security-basics.html
The big bullets:
- Trust
- Reject Unexpected Form Input
- Encode HTML Output
- Bind Parameters for Database Queries
- Protect Data in Transit
- Hash and Salt Your Users’ Passwords
- Authenticate Users Safely
- Protect User Sessions
- Authorize Actions
Detail is given to ideas such as
- User/client input cannot be trusted and so must be validated.
- HTML coding needs to be specified.
- Database query input also needs to be validated before it is run, similar to the first point.
- It is worth it to protect data going over the wire with technologies like SSL and WPS.
- That it is valuable to add extra layers of sophistication when encoding passwords to be sent anywhere.
- That sessions are and the users that use them are worth protecting
- That getting specific authorizations to perform certain actions is another good way to add an extra layer of security.
It is for sure worth the read by pretty much everyone. Since web applications are so tied to our lives these days we as users (and ESPECIALLY as developers) owe it to ourselves and any software we write to adhere to practices like Martin outlines.
aaronjolson 