Security Best Practices

Apply these security principles when developing backend services, microservices, and any code handling sensitive data or external inputs.

Input Validation and Sanitization

• Apply input validation and sanitization rigorously, especially on inputs from external sources
• Validate all user inputs at the boundary of your application
• Use allowlists over denylists when validating input
• Sanitize data before storing or displaying to prevent injection attacks
• Implement strict type checking and schema validation

Authentication and Authorization

• Use secure defaults for JWT, cookies, and configuration settings
• Implement proper token expiration and refresh mechanisms
• Store secrets securely using environment variables or secret management services
• Never hardcode credentials or API keys in source code
• Use secure password hashing algorithms (bcrypt, Argon2)

Permission Boundaries

• Isolate sensitive operations with clear permission boundaries
• Apply the principle of least privilege throughout the system
• Implement role-based access control (RBAC) where appropriate
• Audit and log access to sensitive resources
• Use separate service accounts for different components

Resilience and Protection

• Implement retries, exponential backoff, and timeouts on all external calls
• Deploy circuit breakers and rate limiting for service protection
• Consider distributed rate-limiting to prevent abuse across services (e.g., using Redis)
• Implement request throttling to prevent denial of service
• Use connection pooling with appropriate limits

Secure Configuration

• Use HTTPS/TLS for all network communications
• Configure secure HTTP headers (HSTS, CSP, X-Frame-Options)
• Disable verbose error messages in production
• Keep dependencies updated and scan for vulnerabilities
• Use secure defaults and fail securely

Error Handling

• Implement comprehensive error handling throughout the application
• Never expose stack traces or internal details to end users
• Log security-relevant events with appropriate detail
• Propagate context appropriately for debugging while maintaining security
• Handle authentication and authorization failures gracefully

Secrets Management

• Use environment variables or dedicated secrets managers
• Rotate credentials and keys regularly
• Implement proper key management practices
• Avoid logging sensitive information
• Use encryption at rest for sensitive data storage

SQL Injection Prevention

• Use parameterized queries or prepared statements
• Never concatenate user input into SQL queries
• Use ORM features that automatically escape values
• Validate and sanitize all database inputs
• Limit database user permissions

Cross-Site Scripting (XSS) Prevention

• Escape all output rendered in HTML
• Use Content Security Policy headers
• Sanitize user-generated content before display
• Use framework-provided escaping functions
• Avoid innerHTML and similar dangerous APIs

Cross-Site Request Forgery (CSRF) Prevention

• Implement CSRF tokens for state-changing operations
• Verify origin and referer headers
• Use SameSite cookie attribute
• Require re-authentication for sensitive actions
• Implement proper session management

API Security

• Implement API authentication (JWT, API keys, OAuth)
• Use rate limiting to prevent abuse
• Validate request content types
• Implement request size limits
• Log API access for auditing

Dependency Security

• Regularly audit dependencies for vulnerabilities
• Use lockfiles to ensure consistent versions
• Remove unused dependencies
• Monitor security advisories for your stack
• Implement automated vulnerability scanning in CI/CD