Validate input, encode output, parameterize data access, and harden auth, errors, and sessions.
| Practice | Goal | Typical failure |
|---|---|---|
| Input validation | Reject malformed or malicious data at trust boundaries | Injection, business logic abuse |
| Output encoding | Context-appropriate escaping (HTML, URL, JS, CSS) | Cross-site scripting (XSS) |
| Parameterized queries | Separate SQL structure from user data | SQL injection |
| Authentication | Strong factors, safe password storage, rate limits | Account takeover |
| Error handling | Generic messages to users; detailed logs server-side | Information disclosure |
| Session management | Secure cookies, rotation, idle timeout, fixation defense | Session hijacking |
query = "SELECT * FROM users WHERE id = '" + userId + "'"db.query("SELECT * FROM users WHERE id = ?", [userId])el["inner"+"HTML"] = userComment;el.textContent = userComment;if (password == stored) // timing leakverifyArgon2(pw, hash) + MFA + backoffUse vetted algorithms for password verification, enforce MFA where policy requires it, and never log credentials.
Errors: Stable client message; detailed logs server-side only.
Sessions: HttpOnly, Secure, SameSite; rotate ID after login.
Issue a new session identifier after authentication succeeds.
Toggle implemented items (sessionStorage).