Invos

01_security_best_practices

3 min read

Web Security Best Practices

Security is everyone’s responsibility. This document outlines fundamental security best practices that all developers must follow to build secure applications.

Top 10 OWASP Vulnerabilities

We aim to mitigate the risks identified in the OWASP Top 10. Key vulnerabilities to be aware of include:

1. Injection (e.g., SQL Injection, NoSQL Injection)

  • Prevention:
    • Use an ORM or parameterized queries: Never concatenate user input directly into database queries. Our stack (e.g., using Drizzle ORM with D1) helps prevent this.
    • Validate and sanitize all user input.

2. Cross-Site Scripting (XSS)

  • Prevention:
    • Framework-level protection: Modern frontend frameworks like React automatically encode data rendered in JSX, which prevents most XSS attacks.
    • Be careful with dangerouslySetInnerHTML: Never use this React feature with un-sanitized user input.
    • Set a Content Security Policy (CSP): A CSP header tells the browser which sources of content (scripts, styles, images) are trusted. This is a critical defense-in-depth measure.

3. Insecure Design & Broken Access Control

  • Prevention:
    • Enforce access control on the server-side: Do not rely on hiding UI elements on the frontend to restrict access. Every API endpoint must verify that the user has the correct permissions to perform the requested action.
    • Principle of Least Privilege: Users should only have the minimum level of access they need.
    • Use framework-level authentication/authorization: Leverage middleware in our Next.js/OpenNext application to protect routes.

4. Security Misconfiguration

  • Prevention:
    • Minimalist approach: Our Cloudflare and application configurations should be as simple as possible.
    • Disable debug features in production: Ensure that detailed error messages and debug panels are not exposed in the production environment.
    • Keep software updated: Regularly update all libraries, frameworks, and server software.

5. Vulnerable and Outdated Components

  • Prevention:
    • Automated dependency scanning: Use tools like npm audit and GitHub’s Dependabot to identify and fix vulnerabilities in our third-party libraries. (See 03_dependency_scanning.md)

General Secure Coding Practices

  • Validate, Sanitize, and Escape All User Input:

    • Validate: Check that the data is in the expected format (e.g., a valid email address).
    • Sanitize: Remove any potentially malicious characters or code.
    • Escape: Encode data before outputting it to prevent it from being interpreted as code (e.g., React does this by default).

  • Use HTTPS Everywhere:

    • Our Cloudflare configuration ensures that all traffic is served over HTTPS. (See 02_cloudflare_security_configuration.md)

  • Secure Cookies:

    • HttpOnly: Prevents a cookie from being accessed by client-side scripts. This is a key defense against XSS.
    • Secure: Ensures the cookie is only sent over HTTPS.
    • SameSite=Strict or Lax: Mitigates Cross-Site Request Forgery (CSRF) attacks.

  • Secrets Management:

    • Never hardcode secrets: All API keys, passwords, and other secrets must be stored securely. (See 06_secrets_management.md)

  • Regular Code Reviews:

    • Our Code Review Process is a great opportunity for a second pair of eyes to spot potential security issues.

Security is an ongoing process, not a one-time checklist. By following these best practices, we can significantly reduce the attack surface of our applications.

Graph View

Backlinks