Web App Security Checklist for 2026 - What Every Developer Must Know

90% of breaches exploit known, preventable vulnerabilities. This is the checklist we run before any client project goes live.

---

Authentication

• Passwords hashed with bcrypt (cost factor 12+) or Argon2 - never MD5/SHA1
• Rate limiting on login endpoints (max 5 attempts, then lockout + CAPTCHA)
• JWT tokens short-lived (15-60 minutes), refresh tokens in httpOnly cookies
• MFA available (TOTP via Google Authenticator minimum)
• Password reset tokens expire in 1 hour and are single-use
• Session invalidated on password change

---

Input Validation and Injection

• All database queries use parameterized statements / ORM - never string concatenation
• File uploads validated by MIME type (not just extension) and size-limited
• HTML output escaped to prevent XSS - use your framework's built-in escaping
• JSON schema validation on all API inputs
• Path traversal prevention on file operations

---

API Security

• All endpoints authenticated except explicitly public ones
• Authorization checks at resource level (user can only access their own data)
• Rate limiting on all public endpoints
• CORS configured to specific origins - never * in production
• API keys in environment variables, not in code or client-side
• Sensitive data (tokens, keys) never logged

---

Transport and Headers

• HTTPS everywhere with HSTS header
• Content-Security-Policy header configured
• X-Frame-Options: DENY or SAMEORIGIN
• X-Content-Type-Options: nosniff
• Remove X-Powered-By header (don't advertise your stack)
• TLS 1.2 minimum, TLS 1.3 preferred

---

Dependencies

• npm audit or yarn audit run regularly
• Dependabot or Renovate configured for automated dependency updates
• No packages with known critical CVEs in production

---

Infrastructure

• SSH key-only access (no password auth)
• Firewall: only ports 80, 443, and your SSH port open
• Database not accessible from public internet
• Backups automated and tested (can you actually restore?)
• Environment variables in secrets manager, not in .env committed to git

---

The Vulnerabilities We See Most Often

Broken object-level authorization. API returns /api/orders/123 - user changes 123 to 124 and sees another user's order. Add ownership checks on every resource endpoint.

Mass assignment. User sends {"role": "admin"} in a profile update. If your ORM blindly applies request body to the model, they just promoted themselves. Whitelist allowed fields.

Exposed admin panel. /admin accessible to anyone on the internet. Put it behind VPN or IP allowlist.

Verbose error messages in production. Stack traces leak code structure to attackers. Generic errors in production, detailed logs internally.

---

Security is not a feature you add at the end. Retrofit is 5× more expensive than building correctly from the start.

Contact us for a security audit →

---

Aunimeda builds secure software systems with security-first architecture - authentication, authorization, and security audits.

Contact us to discuss your project. See also: Custom Software Development