Below are things to do to secure your web application
- Database user user for the system can only has access to insert, select, update, delete. Not other datase utilities like drop, create etc.
- Use recaptcha if wrong login attempt exceeds x times
- Never display id on url, use hashed id instead – checkout hashids.org
- Always check a user can’t view, access or update any data not belong to him/her. Especially on multi-tenant system
- Force at least 8 character length for user password. Better to include numbers, capital letters and special symbols
- If use cookies, make sure don’t save sensitive data and always save something that is encrypted that need to be decrypted by server in order to use. For example, for a remember me cookie, use user IP plus the username to construct the an encrypted “token” to be stored in cookie.
- Check again input at the back end even it has been check on front-end using javascript
- Make the 2-FA (2 factor authentication) available for user to choose
- Use SSL/HTTPS
- Always use production-standard settings. Not development-standard settings. For example, never display detail errors to the users such as sql error that show table and fields.
- Give developers/admins different username and access to what they can only do