This document outlines the minimum security standards and policies to follow in a web application to ensure compliance with modern web security best practices.
Inspired by OWASP, browser security standards, and real-world production requirements.
- Passwords are hashed using bcrypt or argon2
- No plaintext passwords stored or logged
- Authentication handled server-side
- Sessions or tokens have expiration
- Logout invalidates active sessions
- Refresh tokens are stored securely
- Account enumeration is prevented (generic error messages)
- HttpOnly
- Secure
- SameSite=Lax or SameSite=Strict
- Role-Based Access Control (RBAC)
- Permissions validated on the server
- Users can only access their own resources
- Admin-only routes are protected
- No authorization logic relies solely on frontend checks
Rule: UI checks are not security checks.
- All inputs validated server-side
- Request schemas enforced (Zod, Yup, Joi)
- Query parameters validated
- Headers validated where applicable
- SQL queries are parameterized
- User-generated content escaped before rendering
- File uploads validated (type, size, content)
Rule: Never trust user input.
- Content-Security-Policy (CSP)
- X-Frame-Options (DENY or SAMEORIGIN)
- X-Content-Type-Options: nosniff
- Referrer-Policy configured
- Permissions-Policy configured
Default mindset: If it is not explicitly allowed, it should not run.
- HTTPS enforced everywhere
- TLS 1.2+ only
- HSTS enabled
- CORS explicitly configured
- No wildcard origins when credentials are used
- Rate limiting on authentication endpoints
- Rate limiting on public APIs
- Brute-force protection implemented
- Secrets stored in environment variables
- .env files never committed
- Database is not publicly accessible
- Least-privilege database users
- Containers run as non-root
- Logs do not contain sensitive data
- Monitoring and alerting enabled
- Data minimization applied
- Only required user data collected
- User data deletion supported
- Clear privacy policy provided
- Compliance with GDPR
- Compliance with NDPR (Nigeria)
- Dependencies audited regularly
- No unmaintained or abandoned packages
- Lockfiles committed
- Automated security scanning enabled
- Known vulnerabilities patched promptly
- No stack traces exposed in production
- Generic error messages returned to clients
- Detailed errors logged server-side
- Authentication and authorization events logged
- Suspicious activity monitored
- Least Privilege
- Defense in Depth
- Secure by Default
- Fail Closed, Not Open
- Zero Trust (client is untrusted)
- Breach containment over breach prevention