OWASP Top 10
The 10 most critical web application security risks. Every developer should know and actively defend against these vulnerabilities.
Syntax
environments-and-security
// Know, detect, preventExample
environments-and-security
// A01: Broken Access Control
// → Always check ownership: WHERE user_id = req.user.id
// A02: Cryptographic Failures
// → Use bcrypt for passwords, TLS everywhere, rotate secrets
// A03: Injection (SQL, NoSQL, Command)
// → Use parameterized queries, never concatenate user input
// A04: Insecure Design
// → Threat model before coding, not after
// A05: Security Misconfiguration
// → Disable debug in prod, remove default accounts
// A06: Vulnerable Components
// → Run npm audit weekly, keep deps updated
// A07: Auth Failures
// → Rate-limit logins, enforce MFA, expire sessions
// A08: Data Integrity Failures
// → Verify webhook signatures, use SRI for CDN assets
// A09: Logging Failures
// → Log auth events, never log passwords/tokens
// A10: SSRF
// → Validate & allowlist URLs before server-side fetches