The OWASP Top 10 is the definitive list of the most critical web application security risks. Every developer should understand it — not just security teams.
Users accessing data/functions they shouldn't have permission to.
// ❌ Vulnerable: trusts client-side role
app.get('/admin/users', (req, res) => {
if (req.body.isAdmin) return res.json(allUsers); // Attacker sets isAdmin: true
});
// ✅ Fixed: server-side role verification
app.get('/admin/users', authenticate, requireRole('admin'), async (req, res) => {
return res.json(await User.findAll());
});Sensitive data exposed due to weak/missing encryption.
MD5, SHA1)// ❌ MD5 is broken for passwords
const hash = crypto.createHash('md5').update(password).digest('hex');
// ✅ Use bcrypt or argon2
import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12);SQL, NoSQL, command, LDAP injection — untrusted data sent as commands.
Already covered in depth this month. Use parameterized queries.
Security not considered in the design phase. No threat modeling. Race conditions by design.
Default credentials. Unnecessary features enabled. Error messages revealing stack traces. Missing security headers.
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
Strict-Transport-Security: max-age=31536000
Using dependencies with known CVEs.
npm audit # Check for vulnerable packages
snyk test # More comprehensive scanning
dependabot # Automated PR updatesWeak passwords allowed. No MFA. Session IDs not rotated after login.
CI/CD pipeline compromised. Unverified updates. Insecure deserialization.
No logs. No alerts. Average breach detection: 200+ days without proper monitoring.
Attacker tricks server into making requests to internal systems.
// ❌ Vulnerable: fetches any URL the user provides
const data = await fetch(req.body.url);
// ✅ Validate and allowlist URLs
const allowedDomains = ['api.trusted.com'];
const url = new URL(req.body.url);
if (!allowedDomains.includes(url.hostname)) throw new Error('Forbidden');Know these. Build with them in mind from day one.