๐ช๐ฒ๐ฏ ๐๐ฝ๐ฝ ๐ฆ๐ฒ๐ฐ๐๐ฟ๐ถ๐๐: ๐๐ฒ๐๐๐ผ๐ป๐ ๐ ๐๐ฒ๐ฎ๐ฟ๐ป๐ฒ๐ฑ
Security is a necessity. I learned these lessons the hard way. Use these tips to keep your apps safe.
XSS: Users put JavaScript code in comments. This code ran on other devices. I now use DOMPurify to clean HTML. React is safe unless you use dangerouslySetInnerHTML.
CSRF: Evil websites send requests as you. Use CSRF Tokens. Every form needs a secret token for the server to verify.
Environment Variables: I pushed an API key to GitHub. Someone used it. I now use .env.local. I use .gitignore to hide these files. Vercel handles keys for deployment.
Authentication: I use OTP via email instead of passwords. Passwords are easy to guess. OTPs expire. I limit OTP requests to 5 per hour per IP.
Rate Limiting: Bots hit my API. I added rate limits to stop DDoS attacks. I allow 100 requests per 15 minutes per user.
Input Validation: Validate every user input. Check the type, length, and format. I use Zod for this in Next.js.
Security is a process. Do regular audits. Use npm audit to find bugs in libraries. Fix and document every error.
Source: https://dev.to/ziad_amr_0e76916f10a8563a/web-app-security-lessons-i-learned-117o