The OWASP Top 10 is a regularly updated list of the most critical security risks facing web applications. These vulnerabilities account for the majority of real-world exploits and data breaches. Understanding each one—and how to prevent it—is essential for every developer and security professional.
Broken access control occurs when users can act outside their intended permissions. This is the #1 vulnerability in the 2021 OWASP Top 10, appearing in 94% of tested applications.
// VULNERABLE CODE
app.get('/api/user/:id/details', (req, res) => {
const user = User.findById(req.params.id);
res.json(user);
});
// SECURE CODE
app.get('/api/user/:id/details', (req, res) => {
if (req.user.id !== req.params.id) {
return res.status(403).json({ error: 'Unauthorized' });
}
const user = User.findById(req.params.id);
res.json(user);
});
Use HTTPS/TLS for all data in transit. For data at rest, use bcrypt, Argon2, or scrypt for passwords. Use AES-256 for sensitive data encryption.
Always use parameterized queries to prevent SQL injection:
// SECURE CODE
const query = 'SELECT * FROM users WHERE username=? AND password=?';
db.query(query, [username, password], (err, results) => { ... });
Use infrastructure-as-code and automated security scanning. Apply principle of least privilege. Implement security headers:
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
Use tools like OWASP Dependency-Check, Snyk, or npm audit to identify vulnerable dependencies. Automate patching where possible.
Log all authentication attempts, authorization failures, and access to sensitive data. Use centralized logging (ELK stack, Splunk, CloudWatch). Set up alerts for suspicious patterns.
Validate and whitelist URLs. Block access to private IP ranges. Use a URL allowlist instead of a blocklist.