The OWASP Top 10 is the de facto standard for web application security. First published in 2003 and updated regularly, it represents the most critical security risks to web applications based on real-world data from thousands of organisations. Knowing these vulnerabilities — and how to prevent them — is not optional for professional developers.
A01: Broken Access Control
The #1 vulnerability, present in 94% of applications tested by OWASP. This occurs when users can access resources or perform actions they're not supposed to. Common mistakes: relying on client-side checks only, using sequential IDs (user/123 → user/124), not checking ownership on every API call.
// WRONG — checking only authentication, not authorisation
router.get('/orders/:id', authenticate, async (req, res) => {
const order = await Order.findById(req.params.id);
res.json(order); // any logged-in user can see any order!
});
// CORRECT — always verify ownership
router.get('/orders/:id', authenticate, async (req, res) => {
const order = await Order.findOne({
_id: req.params.id,
userId: req.user.id // ensure the requesting user owns this
});
if (!order) return res.status(404).json({ error: 'Not found' });
res.json(order);
});A03: SQL Injection
SQL injection should be extinct in 2025 — yet it still appears in the OWASP Top 3. The fix is always the same: parameterised queries, never string concatenation.
// VULNERABLE — never do this
const users = await db.query(`SELECT * FROM users WHERE email = '${email}'`);
// SAFE — always use parameterised queries
const users = await db.query('SELECT * FROM users WHERE email = $1', [email]);A07: Authentication Failures
- Hash passwords with bcrypt, Argon2, or scrypt — never MD5, SHA1, or plain SHA256.
- Implement rate limiting on login endpoints (max 5 attempts, then lockout or CAPTCHA).
- Use secure, HttpOnly, SameSite=Strict cookies for session tokens.
- Enforce MFA for admin accounts and sensitive operations.
- Invalidate all sessions on password change or logout.
Your Security Baseline Checklist
- All dependencies audited with npm audit or Snyk (run in CI).
- Security headers set: CSP, X-Frame-Options, X-Content-Type-Options, HSTS.
- All user input validated and sanitised server-side.
- Parameterised queries everywhere — no exceptions.
- Rate limiting on all authentication, registration, and API endpoints.
- Secrets in environment variables, never in code.
- Regular dependency updates — schedule a monthly review.
- Error messages that reveal nothing about your stack or schema.
Security needs to be built in from day one, not bolted on as an afterthought. The average cost of a data breach in the UK is now £3.4M (IBM 2024). A security review at the architecture stage costs £2,000–£5,000. The ROI on proactive security is enormous.
Got a project in mind?
I work directly with founders and CTOs to build reliable, scalable software. Let's have a conversation about your goals.
Teklif Al