Security Best Practices Guide

Overview

Security is not a feature you add later—it is a foundation you build into every layer of your application. This guide covers the essential practices for building secure software.

When to Apply

• Building any application that handles user data
• Processing payments or sensitive information
• Exposing APIs to the internet
• Working in regulated industries (healthcare, finance, etc.)

Authentication & Authorization

Use Proven Authentication Libraries

Never roll your own authentication. Use battle-tested libraries:

Language	Recommended Library
Node.js	Passport.js, Auth.js
Python	Django Auth, Flask-Login
Java	Spring Security, OAuth2
Go	casbin, gorilla/sessions

Multi-Factor Authentication (MFA)

Require MFA for:

• Admin accounts
• Production access
• Financial operations

Authorization Patterns

Role-Based Access Control (RBAC)

User -> Role -> Permission -> Resource

Principle of Least Privilege

Grant only the permissions necessary for each role. Audit permissions quarterly.

Input Validation

Validate at the Boundary

# Python with Pydantic
from pydantic import BaseModel, EmailStr, constr

class CreateUserRequest(BaseModel):
    email: EmailStr
    password: constr(min_length=12)
    role: constr(pattern=r'^(user|admin)$')

Sanitize Output

• Use parameterized queries (never string concatenation)
• Escape HTML before rendering in browsers
• Encode JSON safely

Secrets Management

Never Hardcode Secrets

# ❌ Bad
API_KEY = "sk-live-abc123"

# ✅ Good
API_KEY = os.environ.get("API_KEY")

Use a Secrets Manager

Tool	Use Case
HashiCorp Vault	Enterprise, complex policies
AWS Secrets Manager	AWS-native applications
Azure Key Vault	Azure-native applications
Doppler	Multi-cloud, developer-friendly
1Password Secrets	Small teams, simple setup

Dependency Security

Keep Dependencies Updated

# Scan for vulnerabilities
npm audit
pip-audit
snyk test

Lock Files

Always commit lock files (package-lock.json, poetry.lock, Cargo.lock) to ensure reproducible builds.

OWASP Top 10 Prevention

Vulnerability	Prevention
Injection	Parameterized queries, input validation
Broken Access Control	Deny by default, enforce ownership
Cryptographic Failures	HTTPS everywhere, encrypt at rest
Insecure Design	Threat modeling, security requirements
Security Misconfiguration	Minimal platforms, remove defaults
Vulnerable Components	Dependency scanning, auto-updates
Auth Failures	MFA, strong passwords, session limits
Software Integrity	Verify packages, signed commits
Logging Failures	Log all auth events, monitor anomalies
SSRF	Whitelist URLs, disable unnecessary protocols

Secure Communication

HTTPS Everywhere

• Redirect HTTP to HTTPS
• Use HSTS headers
• Keep TLS certificates up to date

API Security

• Rate limiting (prevent brute force)
• API versioning (graceful deprecation)
• Request signing (verify integrity)

Logging & Monitoring

What to Log

• Authentication attempts (success and failure)
• Authorization failures
• Input validation errors
• Unusual traffic patterns

What NOT to Log

• Passwords
• API keys
• Personal health information
• Credit card numbers

Security Checklist

• Authentication uses MFA where required
• Authorization checks resource ownership
• All inputs validated and sanitized
• Secrets stored in a secrets manager
• Dependencies scanned for vulnerabilities
• HTTPS enforced for all traffic
• Security headers configured (CSP, HSTS)
• Rate limiting enabled on public APIs
• Sensitive data encrypted at rest
• Security events logged and monitored

FAQ

Q: How often should I update dependencies? A: At least monthly. Enable Dependabot or Renovate for automated PRs.

Q: Is JWT secure? A: JWT is secure when implemented correctly: short expiry, strong signing algorithms (RS256/ES256), secure secret storage, and HTTPS-only transmission.

Q: Should I encrypt everything in the database? A: Encrypt sensitive fields (PII, credentials, tokens). At-rest encryption should be enabled at the database level.