Best Practice for Web Application Security

Remember that the bad guys don't play by the rules. They may be using specialised tools instead of a standard web browser, so they are able to do things that are not possible with a browser.

The OWASP publish a Top Ten security risks which is full of useful advice.

1. Injection.
2. Cross-site scripting (XSS).
3. Broken authentication and session management.
4. Insecure direct object reference.
5. Cross-site request forgery.
6. Security misconfiguration.
7. Insecure cryptographic storage.
8. Failure to restrict URL access.
9. Insufficient Transport Layer Protection.
10. Unvalidated Redirects and Forwards

Other advice

• Set autocomplete off for password fields.
• Use a frame buster.
• OWASP clickjack filter.
• Mass assignment.
• Set the minimum encryption strength.
• When your server returns JSON to a client, send an oject, not an array.