
Durgesh Tiwari
Author
Security best practices are a set of guidelines that help developers build secure websites, applications, and APIs. They reduce the risk of cyberattacks, protect sensitive data, and keep user accounts safe.
Whether you're building a web application, mobile application, or REST API, security should be a part of every project from the beginning.
Some of the most common security best practices include encryption, hashing, Multi-Factor Authentication (MFA), secrets management, and following the OWASP Top 10 security risks.
Encryption is the process of converting readable data into an unreadable format so that only authorized users can access it.
In simple words: Encryption protects data by making it unreadable to anyone who does not have the correct decryption key.
Encryption is commonly used to protect sensitive information such as payment details, personal information, and data transmitted between applications and servers.
When you visit an online banking website using HTTPS, the data exchanged between your browser and the server is encrypted.
Even if someone intercepts the data during transmission, they cannot read it without the correct decryption key.
Encryption is mainly divided into two types: Symmetric Encryption and Asymmetric Encryption. Both protect data, but they use different methods to encrypt and decrypt information.
Symmetric Encryption uses the same secret key for both encryption and decryption.
The sender encrypts the data using the secret key, and the receiver uses that same key to decrypt it. Since only one key is involved, this method is fast and efficient, making it ideal for encrypting large amounts of data.
Common Uses
File encryption
Database encryption
Disk encryption
Backup storage
VPN connections
Advantages
Faster than asymmetric encryption
Efficient for large amounts of data
Uses less computational power
Limitation
The same secret key must be shared securely between both parties. If the key is exposed, anyone can decrypt the data.
Asymmetric Encryption uses two different keys instead of one:
Public Key – Used to encrypt data.
Private Key – Used to decrypt data.
The public key can be shared with anyone, but the private key is kept secret by the owner. Even if someone has the public key, they cannot decrypt the encrypted data without the corresponding private key.
Although this method is more secure, it is slower than symmetric encryption because of the complex mathematical operations involved.
Common Uses
HTTPS (SSL/TLS)
Digital certificates
Secure email communication
Digital signatures
SSH authentication
Advantages
No need to share the private key
More secure for communication over the internet
Supports digital signatures and identity verification
Limitation
Slower than symmetric encryption
Requires more processing power
Feature | Symmetric Encryption | Asymmetric Encryption |
|---|---|---|
Keys Used | One shared key | Public key and Private key |
Speed | Faster | Slower |
Security | Depends on keeping the shared key secret | More secure for communication over the internet |
Best For | Encrypting large amounts of data | Secure communication and authentication |
Common Examples | AES, DES | RSA, ECC |
Hashing is the process of converting data into a fixed-length value called a hash. Unlike encryption, hashing is a one-way process, which means the original data cannot be converted back from the hash.
Hashing is mainly used to store passwords securely. Instead of saving a user's actual password, applications store its hash. This way, even if the database is compromised, the original passwords remain protected.
The hashing process is simple:
A user creates or enters a password.
The application converts the password into a hash using a hashing algorithm.
The generated hash is stored in the database.
During login, the entered password is hashed again.
If the new hash matches the stored hash, the user is authenticated.
Suppose you create an account with the password MyPassword123.
Instead of storing the actual password, the application stores its hashed value, such as:
MyPassword123
↓
9f86d081884c7d659a2fe...When you log in again, the application hashes the password you enter and compares it with the stored hash. If both hashes match, you are successfully logged in.
Some of the most widely used password hashing algorithms are:
bcrypt
Argon2
PBKDF2
These algorithms are specifically designed for password security and make it much harder for attackers to crack stored passwords.
A salt is a random value added to a password before hashing.
Even if two users choose the same password, adding a different salt generates a unique hash for each user. This prevents attackers from using precomputed lookup tables, known as Rainbow Tables, to crack passwords.
Modern hashing algorithms like bcrypt and Argon2 automatically generate and use salts, making password storage much more secure.
Never store passwords as plain text.
Use modern hashing algorithms like Argon2 or bcrypt.
Always use a unique salt for every password.
Avoid outdated algorithms such as MD5 and SHA-1 for password storage.
Protect your database, even if passwords are hashed.
Multi-Factor Authentication (MFA) is a security method that requires users to verify their identity using two or more authentication factors before they can access an account.
Instead of relying only on a password, MFA adds an extra verification step, making it much harder for attackers to gain unauthorized access.
A typical MFA process looks like this:
Enter your username and password.
The system asks for a second verification factor.
Verify your identity using the required method.
If both verifications are successful, you can access your account.
Some of the most common multi-factor authentication methods are:
Password + One-Time Password (OTP)
Password + Fingerprint
Password + Face Recognition
Password + Authentication App (Google Authenticator, Microsoft Authenticator)
Password + Security Key (USB or NFC security key)
Imagine you are logging in to your online banking account.
The login process works like this:
You enter your username and password.
The bank sends an OTP to your registered mobile number.
You enter the OTP.
After both checks are verified, you are logged in successfully.
Even if someone steals your password, they still cannot access your account without the second verification factor.
Using Multi-Factor Authentication provides several security benefits:
Protects accounts even if passwords are compromised.
Reduces the risk of unauthorized access.
Adds an extra layer of security to sensitive applications.
Helps prevent phishing and credential theft attacks.
Improves overall account security.
Secrets Management is the process of securely storing, accessing, and managing sensitive information used by an application.
These sensitive values, called secrets, should never be stored directly in the source code or shared publicly. If attackers gain access to these secrets, they may be able to access databases, APIs, cloud services, or other critical resources.
Applications use many types of secrets, including:
API Keys
Database Passwords
JWT Secret Keys
OAuth Client Secrets
Cloud Access Keys
Encryption Keys
A typical secrets management process looks like this:
Store secrets in a secure location, such as environment variables or a secret management service.
The application retrieves the required secret when it starts or whenever it needs it.
The secret is used to access protected resources, such as databases or APIs.
Secrets are updated or rotated regularly to reduce security risks.
Imagine your application needs to connect to a database.
Instead of writing the database password directly in the source code, you store it as an environment variable or in a secret management service. When the application starts, it securely reads the password and uses it to connect to the database.
This approach keeps sensitive information out of the source code and makes the application more secure.
Follow these best practices to protect application secrets:
Never hardcode secrets in the source code.
Store secrets in environment variables or a secret management service.
Rotate secrets regularly.
Give access only to authorized users and applications.
Monitor secret usage and replace compromised secrets immediately.
Use different secrets for development, testing, and production environments.
The OWASP Top 10 is a list of the most critical security risks for web applications, published by the Open Worldwide Application Security Project (OWASP).
It helps developers understand the most common vulnerabilities that attackers exploit and provides guidance for building more secure applications.
Although the list contains only ten categories, it covers many of the security issues found in modern web applications.
The OWASP Top 10 includes risks such as:
Broken Access Control
Cryptographic Failures
Injection Attacks
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery (SSRF)
You'll learn about these security risks in detail in the upcoming chapters.
Imagine an online shopping application where a normal user can access the admin dashboard simply by changing the URL.
This is an example of Broken Access Control, one of the most common security vulnerabilities listed in the OWASP Top 10.
Proper authentication and authorization checks can prevent this type of attack.
Following the OWASP Top 10 helps developers build more secure applications by:
Identifying common security vulnerabilities.
Reducing the risk of cyber attacks and data breaches.
Encouraging secure coding practices.
Improving the overall security of web applications and APIs.
Helping organizations meet security standards and best practices.
Many companies use the OWASP Top 10 as a security checklist during application development, code reviews, and security testing.
Following these security best practices helps protect websites, applications, APIs, and user data from common security threats.
Always use HTTPS for secure communication.
Encrypt sensitive data before storing or transmitting it.
Store passwords using strong hashing algorithms such as bcrypt or Argon2.
Enable Multi-Factor Authentication (MFA) for important accounts.
Never hardcode API keys, passwords, or secret tokens in the source code.
Store secrets securely using environment variables or secret management tools.
Validate and sanitize all user input.
Keep your software, frameworks, and libraries up to date.
Follow the OWASP Top 10 security recommendations.
Monitor your applications for suspicious activities and security incidents.
Application security is not a single feature—it's a combination of practices that work together to protect users and their data.
In this chapter, you learned:
Encryption protects sensitive data by converting it into an unreadable format.
Hashing stores passwords securely using one-way algorithms.
Multi-Factor Authentication (MFA) adds an extra layer of protection during login.
Secrets Management keeps API keys, passwords, and other sensitive information secure.
OWASP Top 10 highlights the most common web application security risks and helps developers build more secure software.
By following these best practices, you can build applications that are more secure, reliable, and resistant to common cyber attacks.