Best Practice for Web Application Security

Remember that the bad guys don't play by the rules. They may be using specialised tools instead of a standard web browser, so they are able to do things that are not possible with a browser.

The OWASP publish a Top Ten security risks which is full of useful advice.

  1. Injection.
  2. Cross-site scripting (XSS).
  3. Broken authentication and session management.
  4. Insecure direct object reference.
  5. Cross-site request forgery.
  6. Security misconfiguration.
  7. Insecure cryptographic storage.
  8. Failure to restrict URL access.
  9. Insufficient Transport Layer Protection.
  10. Unvalidated Redirects and Forwards

Other advice