Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
okkimus19696yValidate all inputs. Validate stuff on server. Don't use technology that isn't maintained security wise.
-
groot5256yXSS, html escape everything while storing or presenting.. validate all forms .. read the owasp guide to prevent such things.. pretty much standard if you are using any good framework which takes care of this for you.
-
sql injection (similar attacks are possible with meteor/mongo if you don't check params to methods)
shit password storage algorithms (try not to roll your own authentication in general)
shit admin passwords
not enforcing ssl (more a problem for the users)
script injection
exposing secret api keys
no or wide-open spf/dkim/dmarc policies, enabling phishing
server admin stuff -
Hit at least staging, if possible Dev too, with w3af, zap or something similar. Don't go to production while it still finds something... That won't replace a proper pentest, but the absolutely basic and obvious security issues will be identified.
Common site vulnerablities and how to prevent them during development of a website for a client?
question