Web Security in 2025: The Essential Guide

Security breaches are more costly than ever. Here's how to protect your applications.

Critical Vulnerabilities

1. Injection Attacks

Prevention:

• Always use parameterized queries
• ORMs with built-in sanitization
• Input validation with Zod

// Safe with Prisma
await prisma.user.findUnique({
  where: { email: inputEmail } // Automatically sanitized
});

// Dangerous
await prisma.$queryRawUnsafe(`SELECT * FROM users WHERE email = '${inputEmail}'`);

2. Broken Authentication

Solutions:

• Use established libraries (Clerk, Auth.js)
• Implement rate limiting
• Require MFA for sensitive actions

Modern Security Headers

Essential CSP configuration:

Content-Security-Policy: 
  default-src 'self';
  script-src 'self' 'unsafe-inline' https://cdn.example.com;
  style-src 'self' 'unsafe-inline';
  img-src 'self' data: https://*.example.com;
  connect-src 'self' https://api.example.com;
  frame-ancestors 'none';
  form-action 'self';

API Security

1. Rate Limiting

import { rateLimit } from 'express-rate-limit';

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests
  standardHeaders: true,
  legacyHeaders: false,
});

app.use('/api/', limiter);

2. Input Validation

Using Zod:

const UserSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8).max(100),
});

app.post('/login', (req, res) => {
  const result = UserSchema.safeParse(req.body);
  if (!result.success) {
    return res.status(400).json(result.error);
  }
  
  // Process valid data
});

Authentication Patterns

1. Session Cookies

Secure settings:

app.use(session({
  secret: process.env.SESSION_SECRET,
  cookie: {
    httpOnly: true,
    secure: true,
    sameSite: 'lax',
    maxAge: 1000 * 60 * 60 * 24 // 1 day
  },
  resave: false,
  saveUninitialized: false
}));

2. JWT Best Practices

function generateToken(user) {
  return jwt.sign(
    { userId: user.id },
    process.env.JWT_SECRET,
    { expiresIn: '1h' } // Short expiration
  );
}

// Always verify
jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
  if (err) throw new Error('Invalid token');
  return decoded;
});

Security Tools

1. OWASP ZAP: Automated scanner
2. Snyk: Dependency vulnerability checker
3. TruffleHog: Secrets detection
4. Helmet: Secure Express apps

Security Checklist

1. [ ] Dependency updates
2. [ ] Automated security testing
3. [ ] Security headers
4. [ ] Input validation
5. [ ] Principle of least privilege
6. [ ] Logging and monitoring
7. [ ] Secure CI/CD pipeline
8. [ ] Regular penetration testing

Emerging Threats

1. AI-Powered Attacks: Automated vulnerability discovery
2. Supply Chain Attacks: Compromised dependencies
3. WebAssembly Exploits: New attack surface
4. Quantum Computing: Future threat to encryption

"Security is always excessive until it's not enough." - Robbie Sinclair