Best Practice for Web Application Security
Remember that the bad guys don't play by the rules. They may be using specialised tools instead of a standard web browser, so they are able to do things that are not possible with a browser.
The OWASP publish a Top Ten security risks which is full of useful advice.
- Cross-site scripting (XSS).
- Broken authentication and session management.
- Insecure direct object reference.
- Cross-site request forgery.
- Security misconfiguration.
- Insecure cryptographic storage.
- Failure to restrict URL access.
- Insufficient Transport Layer Protection.
- Unvalidated Redirects and Forwards
- Set autocomplete off for password fields.
- Use a frame buster.
- OWASP clickjack filter.
- Mass assignment.
- Set the minimum encryption strength.
- When your server returns JSON to a client, send an oject, not an array.