Validate Input, Always

Never trust user input. Validate and sanitize all data coming from outside your system—whether it’s a web form, API call, or uploaded file.

Use strict validation rules
Whitelist acceptable inputs
Never assume client-side validation is enough

Escape Output to Prevent XSS

When displaying user data on web pages, make sure to escape or encode it properly. This blocks malicious scripts from executing in the browser.

Use templating engines with auto-escaping
Sanitize HTML if necessary
Don’t trust input even if it “looks safe”

Use Parameterized Queries (Always)

Avoid SQL injection attacks by using prepared statements or ORM frameworks. Never concatenate user input into SQL queries.

Use ? placeholders or parameter binding
Avoid raw SQL unless necessary
Don’t build SQL strings manually

Protect Secrets and Credentials

Hardcoding secrets in your codebase is a major security risk.

Use environment variables or secret management tools
Rotate secrets regularly
Never commit .env files or API keys to Git

Apply the Principle of Least Privilege

Only give your code the permissions it absolutely needs—nothing more.

Restrict database roles, API keys, and OS permissions
Separate environments (dev/test/prod)
Don’t use admin credentials everywhere

Fail Securely

When something goes wrong, fail in a secure way. Don’t reveal internal errors or stack traces to the end user.

Show generic error messages
Log detailed errors securely
Avoid debug logs in production