Security checklist for developers

Over the years more forms of system’s attack are discovered, every day many applications are target for stealing credentials, bringing down systems, getting sensitive information…

Gartner said that in 2022 the security market will move $170.4 billion. And part of that is because we, developers do not follow the good practices when creating applications, I decided to create a security checklist, which I believe can help to protect new applications, if you have anything to add to this list, please comment 👍

Checklist 📋

2️⃣ Do not expose all the data on the endpoint, return just what is needed for your feature.

3️⃣ Avoid XSS, this is the most common vulnerability in systems. XSS allows the cracker to run malicious scripts on the victim browser, for protecting your application enable X-XSS-Protection.

4️⃣ Create levels of access, make sure a user will not see data of another user, you can use middleware to do that, great way is to use oauth2.

5️⃣ Do not put credentials on code repository, do not commit .env with real data.

6️⃣ Encrypt JS files on front-end, I already saw crackers make reverse engineering and copy exactly the same feature.

7️⃣ Limit requests for your application, only accept requests from your domain or IP.

8️⃣ Avoid DDOS or Brute Force, use rate-limiting middleware, e.g in Node: https://www.npmjs.com/package/express-rate-limit

9️⃣ Validate extensions when make upload files, avoid (.JS .PHP…)

🔟 Hack Yourself — That is a good practice, try to get access, or pass params injections, you will be surprised by the amount of loopholes you will find.

End 👋

I’ve always been a curious guy and fascinated per new technologies, that took me to discover programming and now I’m sharing my experience on Medium.