Security isn't a feature you add at the end. It's a set of habits you build into every part of development. The OWASP Top 10 is the best starting point for any team that wants to ship secure software.
1. Injection
SQL injection, command injection, LDAP injection — all preventable with parameterised queries and input validation. Never concatenate user input into a query string. Use an ORM like Prisma or prepared statements.
2. Broken Authentication
Use a battle-tested auth library (NextAuth, Clerk, Auth0) rather than rolling your own. Enforce strong passwords, implement rate limiting on login endpoints, and use secure, httpOnly cookies for session tokens.
3. Sensitive Data Exposure
Encrypt data at rest and in transit. Never log passwords, tokens, or PII. Use environment variables for secrets — never commit them to version control. Rotate credentials regularly.
4. Security Misconfiguration
Disable directory listing. Remove default credentials. Set security headers (CSP, HSTS, X-Frame-Options). Review your cloud IAM policies — least privilege everywhere.
5. Cross-Site Scripting (XSS)
Sanitise all user-generated content before rendering it. React's JSX escapes by default — but dangerouslySetInnerHTML bypasses that. Use DOMPurify if you must render HTML from user input.
The Full Checklist
The remaining five (Insecure Direct Object References, Security Logging failures, SSRF, Vulnerable Components, and Cryptographic Failures) each deserve their own deep dive. The key is to treat security as a first-class concern from the first line of code — not a box to tick before launch.