Web Security Checklist

Security checklist I use for every project:

Authentication & Authorization

• Use strong password requirements
• Implement proper session management
• Use JWT tokens with short expiration
• Implement refresh token rotation
• Add rate limiting to auth endpoints
• Use HTTPS everywhere
• Implement proper logout functionality

Input Validation

// Always validate and sanitize input
const validateEmail = (email) => {
  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
  return emailRegex.test(email) && email.length <= 254;
};

// Use parameterized queries
const getUser = async (userId) => {
  return await db.query('SELECT * FROM users WHERE id = $1', [userId]);
};

Security Headers

app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      scriptSrc: ["'self'"],
      imgSrc: ["'self'", "data:", "https:"]
    }
  },
  hsts: {
    maxAge: 31536000,
    includeSubDomains: true
  }
}));

OWASP Top 10 Prevention

1. Injection - Use parameterized queries
2. Broken Authentication - Implement proper auth
3. Sensitive Data Exposure - Encrypt data at rest/transit
4. XML External Entities - Disable XML external entity processing
5. Broken Access Control - Implement proper authorization
6. Security Misconfiguration - Regular security audits
7. XSS - Sanitize output, use CSP
8. Insecure Deserialization - Validate serialized data
9. Known Vulnerabilities - Keep dependencies updated
10. Insufficient Logging - Implement comprehensive logging