January 15, 2026 · 3 min read

Web Security Basics Every Developer Should Know

#cybersecurity#web-security#devops

Web Security Basics Every Developer Should Know

Security isn't just the responsibility of the "security team." As developers, every line of code we write is either making our application safer or introducing a potential vulnerability.

Here's a practical guide to the security fundamentals I think every web developer should understand.

1. HTTPS Is Not Optional

In 2026, there's no excuse for serving anything over plain HTTP. HTTPS provides:

  • Encryption — data in transit can't be read by eavesdroppers
  • Integrity — data can't be tampered with during transit
  • Authentication — users know they're talking to the real server

Use Let's Encrypt for free certificates. Configure HSTS headers to enforce HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

2. Content Security Policy (CSP)

CSP is one of the most powerful defense mechanisms against XSS attacks. It tells the browser which sources of content are allowed:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'

Start strict, then loosen as needed. Never use 'unsafe-eval' in production.

3. Cross-Site Scripting (XSS) Prevention

XSS remains one of the top web vulnerabilities. The basics:

  • Always escape user input before rendering in HTML
  • Use framework-provided sanitization (Angular's DomSanitizer, React's JSX auto-escaping)
  • Set HttpOnly flag on session cookies — prevents JavaScript access
  • Use CSP as a defense-in-depth layer
// BAD — never do this
element.innerHTML = userInput;

// GOOD — use textContent or framework sanitization
element.textContent = userInput;

4. Secure Authentication

If you're implementing auth:

  • Hash passwords with bcrypt or Argon2 — never MD5 or SHA-256 alone
  • Use HTTPS-only, SameSite cookies for session tokens
  • Implement rate limiting on login endpoints
  • Consider passwordless options — magic links, WebAuthn, passkeys

5. Dependency Security

Your node_modules folder is a potential attack surface. Keep it in check:

# Check for known vulnerabilities
npm audit

# Use lockfiles to pin versions
# Review changes when updating packages

Automate dependency scanning in CI/CD with tools like Snyk or GitHub Dependabot.

6. Security Headers Checklist

Set these response headers on every production deployment:

Header Purpose
Strict-Transport-Security Force HTTPS
Content-Security-Policy Restrict content sources
X-Content-Type-Options: nosniff Prevent MIME sniffing
X-Frame-Options: DENY Prevent clickjacking
Referrer-Policy: strict-origin Control referrer info
Permissions-Policy Restrict browser features

Final Thought

Security is a mindset, not a checklist. Every feature you build, ask yourself: "What could go wrong? How could this be abused?"

Build a habit of thinking adversarially, and your applications will be better for it.

"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards." — Gene Spafford

Stay vigilant.