Web security is a critical part of modern aplication development. Failing to secure your app can leave it vulnerable to attacks that compromise user data, functionality, and trust. In this article, we’ll cover some of the most common web vulnerabilities and how to mitigate them.

1. Cross-site Scripting (XSS)

What is XSS?

XSS allows attackers to inject malicious JavaScript into a web page viewed by other users. This can lead to data theft, session hijacking, or redirection to malicious sites.

Example

<!-- Vulnerable code -->
<div>Welcome, <?php echo $_GET['name']; ?></div>

If a user accesses /?name=<script>alert('Hacked!')</script>, the script runs in the browser.

Prevention

  • Escape output when injecting user input into the DOM
  • Use templating libraries that auto-escape (e.g., React, Handlebars)
  • Set proper Content Security Policy (CSP)
  • Validate and sanitize inputs on the server-side

2. Cross-site Request Forgery (CSRF)

What is CSRF?

CSRF tricks a logged-in user into performing unwanted actions on a web app where they’re authenticated—like changing a password or transferring funds.

Example

A malicious site sends this request behind the scenes:

<img src="https://yourbank.com/transfer?amount=1000&to=hacker" />

If the user is logged in to yourbank.com, the request might succeed.

Prevention

  • Use CSRF tokens in all state-changing requests
  • Send requests with the SameSite cookie attribute set to Strict or Lax
  • Require authentication for sensitive actions

3. SQL Injection

What is SQL injection?

An attacker injects SQL code into an input field to manipulate your database queries.

Example

// Insecure
db.query(`SELECT * FROM users WHERE username = '${username}'`);

Input like ' OR 1=1 -- can return all users.

Prevention

  • Use parameterized queries or ORMs
  • Never concatenate untrusted input into SQL queries
  • Sanitize and validate inputs

4. Clickjacking

What is clickjacking?

Clickjacking tricks users into clicking hidden elements of your site, like buttons or links, inside an invisible frame.

Prevention

  • Use the X-Frame-Options: DENY or SAMEORIGIN HTTP header
  • Implement Content Security Policy with frame-ancestors 'none'

5. Insecure Direct Object References (IDOR)

What is IDOR?

Occurs when attackers manipulate IDs or parameters in URLs to access data they shouldn’t.

Example

A user changes this URL:

https://app.com/invoice/12345

to:

https://app.com/invoice/12346

and sees someone else's invoice.

Prevention

  • Never rely only on client-side IDs for access control
  • Always verify authorization on the server side
  • Use UUIDs instead of incremental IDs

Best practices for prevention

  • Keep dependencies updated
  • Use security headers (CSP, X-Content-Type-Options, X-Frame-Options, etc.)
  • Validate input and escape output
  • Implement proper authentication and authorization
  • Monitor and log suspicious activity
  • Follow OWASP Top 10 recommendations

Conclusion

Security is not just a backend concern—it’s a shared responsibility across the entire stack. By understanding these common attacks and applying preventive measures early, you protect both your users and your application from potential damage. Make security a habit, not an afterthought.