Our Knowledge Base

The greatest tool of the wise man is knowledge!

13 Tips for securing your Web Application

by | Dec 13, 2022 | Security

Web applications are an essential part of the modern internet, providing users with rich and interactive experiences. But as web applications become more complex and sophisticated, they also become more vulnerable to security threats.

In this post, we will explore thirteen tips for securing your web application and protecting it against common security risks. From implementing proper authentication and authorization to using secure coding practices, these tips will help you ensure that your web application is safe and secure for your users.

1. Don’t write your own authentication

One of the most important aspects of web application security is authentication, which is the process of verifying a user’s identity before granting them access to sensitive resources. Many developers make the mistake of writing their own authentication code, believing that it will be more secure or tailored to their specific needs.

However, this is almost always a bad idea. Writing your own authentication code is difficult and time-consuming, and it is easy to make mistakes that can leave your web application vulnerable to security attacks.

Instead of writing your own authentication code, you should consider using a tried-and-tested authentication service. Some popular ones include Auth0 and Firebase Authentication. 

If you absolutely need to write your own authentication system, make sure that you use an existing authentication framework designed by security professionals.

By using a well-known and widely-used authentication framework, you can ensure that your web application is secure and that you are using the industry best practices. Some popular authentication frameworks you should look into for web applications are OAuth and OpenID connect.

2. Enforce HTTPS for all communication with your application.

One of the simplest and most effective ways to secure your web application is to enforce HTTPS for all communication with your application. HTTPS is the secure version of the HTTP protocol that is used to transfer data over the internet.

It encrypts data in transit, protecting it from being intercepted or modified by attackers. This is easier than ever to do in 2022, and every modern application should be using encryption in transit.

To enable HTTPS for your web application, you will need to obtain an SSL/TLS certificate from a certificate authority (CA) and install it on your web server. Certbot is a free SSL provider which has driven the industry adoption of HTTPS, and is the easiest way to get a valid SSL certificate. This certificate will be used to encrypt and decrypt data transmitted between the user’s web browser and your web application.

Once you have installed the SSL/TLS certificate on your web server, you can configure your web server to redirect all HTTP traffic to HTTPS, ensuring that all communication with your web application is done using HTTPS. This will provide an additional layer of security for your web application and help protect your users’ data from being intercepted by attackers.

 3. Use an ORM (Object relational Management system) for database queries, this will protect you from 99.99% of SQL injection attacks.

One of the most common security vulnerabilities in web applications is SQL injection, which is a type of attack that involves injecting malicious SQL code into a web application’s database query. This can allow attackers to access, modify, or delete sensitive data in the database, or even take control of the entire database.

To protect your web application from SQL injection attacks, you should use an Object Relational Management (ORM) system for your database queries. An ORM is a software library that provides an abstract layer between your web application and the database, allowing you to write database queries using high-level programming constructs rather than raw SQL.

By using an ORM, you can avoid many of the pitfalls of writing raw SQL, such as improperly handling user-supplied input or using insecure string concatenation to build SQL queries. ORMs provide a number of built-in security features, such as parameterized queries and escaping special characters, that help prevent SQL injection attacks.

Some examples of popular well maintained ORM’s are SQLAlchemy, TypeORM and PropelORM.

 4. Use a unique password for every service, and manage these passwords with a password manager such as Bitwarden

One of the simplest and most effective ways to improve the security of your web application is to use unique, strong passwords for every service that you use. This means using a different password for each web application, online account, and service that you use, rather than using the same password for multiple services.

Using unique passwords helps protect your web application from being hacked through other services that you use. If you use the same password for multiple services, and one of those services is hacked, then the attacker will be able to use the same password to gain access to your other accounts and services. By using unique passwords, you can prevent this type of attack and protect your web application from being compromised.

Managing unique passwords for multiple services can be challenging, which is why it is important to use a password manager to help you generate and store your passwords. A password manager is a tool that securely stores your passwords and allows you to easily retrieve them when you need them. There are many different password managers available, such as bitwarden, LastPass, and 1Password.

 5. Use the principle of least privilege when giving people access to your resources

The principle of least privilege is a security principle that states that users, processes, and systems should be given only the minimum level of access and permissions that are required to perform their intended tasks. This means that users should be granted only the permissions that are necessary to access the resources that they need, and no more.

In the context of web application security, the principle of least privilege means that you should carefully control and restrict access to your web application’s resources. This includes things like database records, files, and other sensitive data. By limiting access to these resources to only those users who truly need them, you can prevent unauthorized access and protect your web application from security threats.

To use the principle of least privilege for your web application, you will need to implement or use an off-the-shelf system for managing user permissions and access controls. This system should allow you to define and enforce different levels of access for different users and groups, and it should be able to dynamically adjust access levels as users’ needs and roles change.

All the major cloud services such as GCP, AWS and Azure have rich tooling for IAM (Identity access management) and provide fine grained access controls to project resources.

 6. Don’t store critical user data if possible. If you need to do identity verification for example, consider using a third party API so that you never need to handle sensitive documents such as passports.

Storing critical user data, such as personal information, passwords, and financial data, is a major security challenge for web applications. Not only do you need to protect this data from unauthorized access, but you also need to ensure that it is stored and managed in a secure and compliant manner. This can be difficult and time-consuming, especially if you need to handle sensitive documents such as passports for identity verification purposes.

One solution to this problem is to avoid storing critical user data if possible. This means using other methods to verify users’ identities, such as using third party APIs or other services that can handle sensitive data on your behalf. By using these services, you can avoid the need to handle sensitive documents yourself, and you can offload the responsibility for managing and protecting this data to a trusted provider.

For example, if you need to verify users’ identities, you could use a third party API that allows you to verify users’ identities without ever needing to handle their passport or other sensitive documents. The API provider would handle the verification process, and would return the result to your web application, allowing you to verify the user’s identity without ever having to store or handle sensitive data. These services are well worth the cost, as they not only reduce the impact of a hack, but also generally pay for themselves as you don’t need to dedicate as much developer time to compliance and maintenance for these security-critical systems.

 7. Assume that nothing you deploy with your frontend code or into your git repository is safe. The only way to keep your secrets safe is to keep it in the backend, and only provide them to your specific services that need it.

In web application development, it is important to keep sensitive data, such as passwords, API keys, and other secrets, safe and secure. This can be challenging, as the frontend code and assets that you deploy with your web application are often accessible to all your users. Furthermore, code repositories are often shared with third parties and it is very difficult to implement access control on a code repository. Generally when someone has access to a repository, they can see all the files which would include any secret keys that you may not want to share with them.

To keep your secrets safe, you should assume that nothing you deploy with your frontend code or into your git repository is safe. This means that you should avoid storing sensitive data in these places, and instead keep your secrets in the backend, where they are more secure and can be accessed only by the specific services that need them.

One way to do this is to use a secret management service, such as GCP Secrets manager or Hashicorp’s Vault. These services allow you to securely store and manage your secrets, and to provide them to your web application and other services in a controlled and secure manner. This can help prevent your secrets from being exposed or stolen, and can improve the overall security of your web application. It also makes it easier to change your passwords and API keys proactively on a schedule, or in response to an event such as a staff member leaving the company or an intrusion detection.

 8. Never trust user input, always validate it on the backend as well as the frontend. The frontend validation only helps the user do the right thing, the backend validation is your actual security

One of the key principles of web application security is to never trust user input. This means that you should never assume that the data that is entered by a user into your web application is valid or safe. Instead, you should always validate user input on the backend as well as the frontend to ensure that it is correct and meets your requirements.

Validating user input on the frontend can help improve the user experience of your web application by providing immediate feedback to the user if they enter invalid or incorrect data. This can help the user understand what they did wrong and how to fix it, and can prevent them from making mistakes or entering invalid data.

However, frontend validation is not a substitute for backend validation. The frontend validation only helps the user do the right thing, but it does not provide any actual security for your web application. The backend validation is where your actual security lies, because it is the last line of defense against malicious or invalid user input.

To implement effective backend validation, you should carefully define the rules and constraints that apply to each piece of user input, and use these rules to validate the data on the backend. This may involve using regular expressions, input sanitization, and other techniques to ensure that the data is correct and meets your requirements.


 9. Minimize your package dependencies where possible, and regularly check for critical updates.

In web application development, it is common to use external libraries and packages to help you implement certain features or functionality in your web application. These packages can provide useful functionality, but they can also introduce security risks if they are not properly managed.

To minimize these risks, it is important to minimize your package dependencies where possible, and to regularly check for critical updates to these packages. This means using only the packages that are absolutely necessary for your web application, and keeping track of the latest versions of these packages and any security updates that are released.

In the javascript/node ecosystem, you can use the npm audit command to check your package dependencies for known vulnerabilities and security issues. This command will scan your project’s dependencies and identify any packages that have known security vulnerabilities or other issues, and will provide guidance on how to fix these issues.

For Python, you can use a package called pip-audit to perform the same type of security checks for your project’s dependencies. You should find an auditing tool for your language and run it regularly to ensure that there are no easily exploitable vulnerabilities in your application.



 10. Set up monitoring on your services to see if there were failed login attempts or irregular activity such as web scraping.

Setting up monitoring on your web application and its services is an important step in securing your web application. Monitoring allows you to keep track of your web application’s performance, usage, and security, and to identify and respond to potential security threats or issues.

One aspect of monitoring that is particularly important for web application security is tracking failed login attempts and irregular activity, such as web scraping. Failed login attempts can indicate that someone is trying to gain unauthorized access to your web application, and web scraping can indicate that someone is trying to collect data from your web application without your permission.

To monitor failed login attempts and irregular activity, you will need to implement or use an existing system that tracks these events and sends notifications or alerts when they occur. GCP provides a monitoring service which is easy to plug into any of your existing applications.

Your monitoring system will be highly dependent on your specific web application, so it’s hard to make specific recommendations here. However, some general approaches that you could consider include:

  • Implementing login and access controls that track failed login attempts and lock out users after a certain number of failed attempts
  • Implementing rate limiting on your web application’s APIs and other resources to prevent excessive or irregular usage
  • Monitoring your web server’s logs and other data sources for signs of web scraping or other irregular activity


 11. Use a static code analyser to catch simple mistakes. SonarCloud and Snyk are both excellent choices that support many different coding languages.

Using a static code analyser is a good way to improve the security of your web application by catching simple mistakes and coding errors that could lead to security vulnerabilities. A static code analyser is a tool that automatically scans your source code and identifies potential issues or problems, such as syntax errors, coding conventions, and security vulnerabilities. For example, a static code analyser might identify a lack of input validation in your code, which could allow an attacker to inject malicious code into your web application. By catching and fixing these mistakes early, you can improve the security of your web application and prevent security vulnerabilities from being introduced.

There are many different static code analysers available, and they support a wide range of coding languages. Some popular static code analysers include SonarCloud and Snyk, which both support many different coding languages and provide a range of features and capabilities for identifying and fixing coding issues.


 12. Make your firewall rules as restrictive as possible, only enable the ports and source/destination IP addresses for what is absolutely necessary

One of the key elements of securing a web application is implementing a firewall that controls incoming and outgoing network traffic. A firewall is a network security system that uses rules to allow or block traffic based on specified criteria, such as the source or destination IP address, the port number, or the type of traffic.

To maximize the security of your web application, you should make your firewall rules as restrictive as possible. This means enabling only the ports and IP addresses that are absolutely necessary for your web application to function, and blocking all other traffic. This can help prevent unauthorized access to your web application and protect it from security threats.

To implement restrictive firewall rules, you will need to carefully assess your web application’s requirements and determine which ports and IP addresses are necessary for it to function. For example, you might need to enable access to your web server’s HTTP and HTTPS ports to allow users to access your web application, but you might not need to enable access to other ports, such as FTP or SSH, unless you are using these protocols for specific purposes.

Once you have determined the necessary ports and IP addresses, you can create firewall rules that allow only this traffic, and block all other traffic. This will help protect your web application from unauthorized access and other security threats, and will improve its overall security.


 13. Use a registered penetration testing service to make sure you’ve done things correctly, especially if you need to handle sensitive user data, or provide a critical service.

Penetration testing is a valuable security practice that involves simulating a cyber attack on your web application to identify vulnerabilities and security weaknesses. By conducting a penetration test, you can discover potential security issues and take steps to fix them before they are exploited by a real attacker.

If you need to handle sensitive user data or provide a critical service, it is especially important to use a registered penetration testing service. Using a registered penetration testing service can help ensure that your penetration test is conducted in a professional and thorough manner, and that you receive expert guidance on how to fix any security issues that are identified. This can help you improve the security of your web application, and can provide peace of mind that your web application is as secure as possible.

In conclusion, web application security is a critical concern for anyone who develops or maintains web applications. By following the tips outlined in this post, you can improve the security of your web application and protect it from security threats and vulnerabilities.



Need some help with digital security on your platform? We’d love to have a chat and give you some advice. Get in touch

More Articles

Overcoming Data Bias in UX Testing and Stats Analysis

Overcoming Data Bias in UX Testing and Stats Analysis

So as a UX designer it's important to let the evidence guide your decisions. However sometimes your own bias or ignorance or determination to solve a small issue can influence your interpretation of the data at hand.  In short this hurts your ability to push the User...

Top 5 Rules for Great UX Conversion Optimisation

Top 5 Rules for Great UX Conversion Optimisation

Firstly, what is conversion optimisation and why is it important? The aim is to encourage users to stay and convert by explaining the value proposition, and building in habitual dependance. Basically, every lead your business generates has a cost, let's say you spend...

Don't just take it from us!

We've had the pleasure to work with the AppNative team for the last few years. They were instrumental in redesigning our entire IT solution from a contemporary and cutting edge user interface to a sound and reliable administration system.

They have always gone beyond the scope of work to ensure successful product launches both here in Australia and globally, as well as support Moving Mindz in meeting our deadlines, and getting apps approved on various platforms. We now have a world class product that we are proud of and we are grateful to Appnative.

Shane Bilborough

CEO, Moving Mindz Pty Ltd

AppNative have been fantastic to work with on our new Ineda platform and over the years.

They've helped us build out the front-end of our customer platform as well as run our teams strategy sessions, sprint standups and retros, as well as run quality assurance testing for our products. 

The AppNative team has been easy to work with and a great way to supplement our internal team with the extra skills we need.

Nick Neda

CEO / Founder, Ineda & BeEnergy

We engaged the AppNative team after doing a search in the Australian market for a local company willing and motivated to bring an innovative idea to life that no one else had achieved. We had many hurdles to get through and the fact we were able to apply for both a patent and a research and development grant is a testimony to what we managed to build together.

The team were as passionate as we were, coming up with ideas that would compliment the solution, but also knew when to pull back if there was scope creep to ensure we remained on track with our MVP. We’re extremely proud of the product we built in partnership with Ben and his team. 

Skye Butler

CEO, Smylee

AppNative is made up of industry veterans with incredibly creative minds and have easily the best UI/UX designers in the world.

Having a deep understanding of modern development and technology coupled with genuinely world-class creative abilities means that AppNative creates visually stunning solutions that are beautiful and intuitive.

AppNative has gone above and beyond assisting us with building not only our product but our team. Their integrity, network, talent, and problem solving have rightfully given him the reputation he has, and our experience with AppNative could not have been better. 

Steven Bolton

CEO, Entrepreneur

Clients we've worked with

client logos