7 tips for beginners to secure website or web applications

Writing these basic tips for beginners who are writing their first site & ready to go live. If anything is missing or incorrect, you can help me to correct it by commenting on it. let’s start.

1. Get an SSL certificate:

It’s an HTTPS protocol that by default encrypts your site data when it goes from the client (browser) to the server. You can get it free as well

using Cloudflare.

1. Always use .env or config file at least:

Don’t save your DB connection string or any API keys in the coding file. Save them in .env file.(what is env file? https://nodejs.dev/learn/how-to-read-environment-variables-from-nodejs).

Note, make sure that by mistake you do not include that file in git or bitbucket or any repo.

For advanced level security, use a secret key-vault manager like Azure and AWS are providing. It adds one extra security layer.

For more read, you can refer https://aws.amazon.com/secrets-manager

1. Turn on IP or Domain whitelisting restriction for Database/API:

Database restriction is really helpful and important. Just mention the IP address like the local machine on which you do development, the IP of your server, etc.

If you don’t have static IPs like me, then domain whitelisting comes in handy solution so just mention your site domain and your DB will only serve that service request.

This can apply to your API and Images as well.

Note, Don’t forget this when you’re calling your API from the client side.

1. Check read/write permission to folders:

In some projects, we may decide to upload files to a folder. So be mindful while setting such permissions to your folders.

1. Data encryption:

I know this is common but still worth mentioning that we should encrypt users’ sensitive data and if possible try to avoid such information until you really need them in your app. Like if you are using stripe’s connect for the marketplace and you need an SSN or Tax Id of the business then just store them on stripe. not in DB.

And if you are making any Fin or Helth Tech apps, read data managing and storing requirements first. I know it’s boring but it’s a MUST.

1. Serverside validation:

In the early days of my development, I thought that client-side validation is all we need. But you can just inspect element & your app client-side validation are the boom. Gone. :)

So do add serverside validation and in file upload functions, don’t forget to set file size validation.

1. Disable iframe support:

If your site doesn’t need this functionality just use “add_header X-Frame-Options “SAMEORIGIN”;” and ad in server headers. This will not allow your website to get displayed in Iframe on other websites.

Do share your feedback on comments :)