Over the years more forms of system’s attack are discovered, every day many applications are target for stealing credentials, bringing down systems, getting sensitive information…
Gartner said that in 2022 the security market will move $170.4 billion. And part of that is because we, developers do not follow the good practices when creating applications, I decided to create a security checklist, which I believe can help to protect new applications, if you have anything to add to this list, please comment 👍
1️⃣ Validate input params, do not trust, treat SQL Injection, Params Injections, and Command injection, that is an easy way for the cracker to get sensitive information, e.g., https://yourdomain.com/users/ID, if the cracker change de ID or any params, this can return a sensitive data.
2️⃣ Do not expose all the data on the endpoint, return just what is needed for your feature.
3️⃣ Avoid XSS, this is the most common vulnerability in systems. XSS allows the cracker to run malicious scripts on the victim browser, for protecting your application enable X-XSS-Protection.
4️⃣ Create levels of access, make sure a user will not see data of another user, you can use middleware to do that, great way is to use oauth2.
5️⃣ Do not put credentials on code repository, do not commit .env with real data.
6️⃣ Encrypt JS files on front-end, I already saw crackers make reverse engineering and copy exactly the same feature.
7️⃣ Limit requests for your application, only accept requests from your domain or IP.
8️⃣ Avoid DDOS or Brute Force, use rate-limiting middleware, e.g in Node: https://www.npmjs.com/package/express-rate-limit
9️⃣ Validate extensions when make upload files, avoid (.JS .PHP…)
🔟 Hack Yourself — That is a good practice, try to get access, or pass params injections, you will be surprised by the amount of loopholes you will find.
Thanks for reading!