Security

Web security: 5 mistakes to absolutely avoid

The most common security flaws in web projects and how to avoid them. Practical advice to secure your application without being a cybersecurity expert.

Security Web Best Practices
Published on 12 February 2025

Why security from the start?

Security is like accessibility: it's much easier to build in from the start than to fix later. And contrary to what people often think, securing an application doesn't require being a cybersecurity expert. You just need to avoid the most common mistakes. We'll show you which ones, and how to avoid them.

These 5 mistakes account for the majority of security flaws in web projects. Avoiding them already secures 80% of your app. And honestly, that's a lot! We've all made these mistakes at the start, so we're sharing what we've learned.

Mistake #1: SQL injection

The problem: If you build SQL queries by concatenating user data directly, you're vulnerable to SQL injection. An attacker can execute malicious SQL.

Vulnerable code example: 

// ❌ DANGEROUS
const query = `SELECT * FROM users WHERE email = '${email}'`;

The solution: Always use parameterised queries or an ORM. 

// ✅ SECURE
const query = 'SELECT * FROM users WHERE email = ?';
db.query(query, [email]);

Modern frameworks: Most frameworks (Express with Sequelize/Prisma, Django ORM, Laravel Eloquent) handle this automatically. Use them instead of writing raw SQL.

Mistake #2: XSS (Cross-Site Scripting)

The problem: If you render user content directly without escaping it, an attacker can inject malicious JavaScript that runs in other users' browsers.

Vulnerable code example: 

// ❌ DANGEROUS
<div>{userComment}</div>

The solution: Always escape user content before rendering it. 

// ✅ SECURE (React escapes automatically)
<div>{userComment}</div>

// ✅ SECURE (Vanilla JS)
const div = document.createElement('div');
div.textContent = userComment;

Modern frameworks: React, Vue and Angular escape content automatically. But be careful if you use dangerouslySetInnerHTML (React) or v-html (Vue): in that case, you must sanitise content with a library like DOMPurify.

Mistake #3: Weak authentication

The problem: Plaintext passwords in the database, no login attempt limits, insecure JWT tokens, etc.

Solutions:

  • Hash passwords: Use bcrypt, argon2, or scrypt. Never MD5 or SHA1 (too fast to crack).
  • Limit login attempts: Rate limiting (max 5 attempts per IP, then temporary block).
  • Secure JWT tokens: Use short-lived tokens, store them in httpOnly cookies (not localStorage).
  • Enable HTTPS: Always, everywhere. Passwords over HTTP can be intercepted.

Mistake #4: Misconfigured CORS

The problem: If you allow all origins (Access-Control-Allow-Origin: *), any site can make requests to your API.

The solution: Allow only origins you control. 

// ✅ SECURE
Access-Control-Allow-Origin: https://yoursite.com

// Ou en Express
app.use(cors({
  origin: ['https://yoursite.com', 'https://www.yoursite.com']
}));

In development: You can allow localhost, but never in production.

Mistake #5: Exposed secrets

The problem: API keys, passwords, tokens hardcoded in code or committed to Git.

Solutions:

  • Use environment variables: .env for local development, server environment variables for production.
  • Never commit secrets: Add .env to your .gitignore.
  • Use a secrets manager: AWS Secrets Manager, HashiCorp Vault, or your platform's environment variables (Railway, Render, etc.).
  • Rotate secrets regularly: Change API keys every 3–6 months.

Additional best practices

Security updates

Keep your dependencies up to date. Use npm audit or yarn audit to identify known vulnerabilities.

Security headers

Add HTTP security headers:

  • Content-Security-Policy: Limits resources the browser can load
  • X-Frame-Options: Prevents clickjacking
  • X-Content-Type-Options: nosniff: Prevents MIME sniffing
  • Strict-Transport-Security: Forces HTTPS

Data validation

Always validate data on the server, even if you validate on the client. The client can be modified.

In summary

These 5 mistakes represent the majority of security flaws. Avoiding them already secures your application significantly. To go further:

  • Use modern frameworks that handle security by default
  • Stay informed about vulnerabilities (CVE, security newsletters)
  • Have your application audited regularly (at least once a year)
  • Train your team on security best practices

Security is an ongoing process, not a state. Start by avoiding these 5 mistakes, then improve gradually.

Need help securing your application?

We can support you with a security audit and implementing best practices.

Let's discuss your project