Secure Web App Best Practices

Maintaining a secure web environment is extremely important in today’s technological climate. So, let’s look at secure web app best practices.

Performing regular scans and tests of your security posture is best practice and one that is rapidly becoming an essential piece to maintaining security at your organization. Web applications have become a common target for hackers, thus the need for better practices. Last week, we tapped into our own developers’ minds to help us put together a list of best practices for secure web application in order to educate and inspire our community of security-minded individuals. Here are our top Secure Web App Best Practices:


If you’re a web app developer, you should always be aware of security risks and best practices for defending your application from those risks. OWASP is a great resource for learning about web app security. The “OWASP Top 10” is a great list that creates awareness around some of the most critical web app security flaws. SANS is another great resource for information security training. Additionally, many web app frameworks publish security guides that cover built-in security features. (Ex., Ruby on Rails, Django, and .NET publish security guides to help you as you are building apps).


HTTPS provides your users with the confidence that the web app they are connecting to is, in fact, yours. It also provides a secure channel for sending and receiving data. One risk involved in using HTTPS occurs when additional content is loaded insecurely over HTTP. While your site may be securely loaded over HTTPS, even a single JavaScript file loaded insecurely over HTTP is at risk to be intercepted and modified by an attacker. Ensure that all your content and resources are loaded securely.


When storing users’ passwords, it’s extremely important to follow best practices. Never, ever, store passwords in plain text. You should store your users’ passwords as hashes, making use of cryptographic algorithms that are designed for password protections. View the OWASP Password Storage Cheat sheet.


Your web app most likely makes use of a framework and several libraries or components. Each one of these components is potentially vulnerable to attack. It is best to identify all of the components and versions currently being utilized in your app. Once you have that, monitor public databases (CVE, NVD) for reported risks to the components you use. Also, keep up to date with security mailing lists relevant to the frameworks you use and immediately update any components that release security fixes.


Related to keeping your app dependencies up to date, you should also ensure your app stack is up to date. Ensure your OS, web server, app server, and databases are all up to date with the latest patches and configurations.


A web app firewall (WAF) can be helpful in identifying and blocking threats to your app. A WAF applies rules to the HTTP traffic coming in to your app. If certain patterns are detected that are commonly associated with attacks, the request is blocked. These rules can be customized based on the specific threats to your app. Running a WAF requires maintenance and tuning, but it can be very effective in blocking many known attacks.


It’s always important to know what is going on within your apps. Collecting logs is vital to having an audit trail of activity. You should collect all authentication and user access events including access to your servers and user access to your apps. Collect data access, user events, and errors. Logs should be centrally collected and stored where they can be reviewed and correlated.


As a developer, you should always assume that all user input is malicious. This includes form data, URL parameters, query strings, cookies, and HTTP headers. Validate all input based on type, length, and a whitelist of allowed value ranges. Many attacks such as SQL injection and cross-site scripting take advantage of apps that trust user input without proper validation. View the OWASP Data Validation.


Testing your app for vulnerabilities is an important step in finding and fixing flaws before you suffer from an attack. This can include static code analysis and penetration testing. Static code analysis will scan your source code for flaws and potential security risks. These tools can be integrated into the development lifecycle, alerting developers to potential hot-spots in their code. Web app penetration tests simulate attacks in order to analyze the security of your system. These tools are necessary in order to ensure your application is secure.

For more information or help regarding the security of your web apps, email me at


Sarah Morris is the Managing Editor at KirkpatrickPrice, a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices.