Tag Archives: web application security

Securing web application

Below are things to do to secure your web application

  1. Database user user for the system can only has access to insert, select, update, delete. Not other datase utilities like drop, create etc.
  2. Use recaptcha if wrong login attempt exceeds x times
  3. Never display id on url, use hashed id instead – checkout hashids.org
  4. Always check a user can’t view, access or update any data not belong to him/her. Especially on multi-tenant system
  5. Force at least 8 character length for user password. Better to include numbers, capital letters and special symbols
  6. If use cookies, make sure don’t save sensitive data and always save something that is encrypted that need to be decrypted by server in order to use. For example, for a remember me cookie, use user IP plus the username to construct the an encrypted “token” to be stored in cookie.
  7. Check again input at the back end even it has been check on front-end using javascript
  8. Make the 2-FA (2 factor authentication) available for user to choose
  9. Use SSL/HTTPS
  10. Always use production-standard settings. Not development-standard settings. For example, never display detail errors to the users such as sql error that show table and fields.
  11. Give developers/admins different username and access to what they can only do