Resources / Developer Resources

Developer Resources

Essential security guidelines and best practices for software engineers building secure applications.

Secure Coding Guidelines

A comprehensive list of Do's and Don'ts for software engineers to follow when practicing secure coding.

✅ Do's – What You Should Always Do

  • Validate and Sanitize Input
    Always check and clean all user input to prevent injection attacks.
  • Use Parameterized Queries
    Prevent SQL injection by using prepared statements or ORM libraries.
  • Implement Proper Authentication & Authorization
    Enforce strong authentication and granular authorization.
  • Store Passwords Securely
    Hash passwords using modern algorithms (e.g., bcrypt, Argon2), never store plaintext.
  • Use HTTPS Everywhere
    Encrypt all data in transit to protect against eavesdropping and MITM attacks.
  • Log Security-Relevant Events
    Record failed logins, permission errors, and privilege escalations — without leaking sensitive data.
  • Handle Errors Gracefully
    Display generic error messages to users; log detailed errors internally.
  • Use Well-Maintained Libraries
    Prefer mature, actively maintained libraries and frameworks.
  • Keep Dependencies Updated
    Regularly update software components and monitor for known vulnerabilities (e.g., CVEs).
  • Apply the Principle of Least Privilege
    Give users, processes, and services the minimum access they need.
  • Use Security Headers
    Apply headers like Content-Security-Policy, X-Content-Type-Options, and Strict-Transport-Security.
  • Think Like an Attacker
    Threat model your features and ask: "How could this be abused?"

❌ Don'ts – What to Avoid

  • Don't Trust User Input
    Never assume data from users (or other systems) is safe.
  • Don't Hardcode Secrets
    Avoid storing credentials, API keys, or tokens in source code.
  • Don't Disable Security Features for Convenience
    Don't turn off CSRF protection, CORS policies, or security checks "just for now."
  • Don't Use Obsolete Crypto
    Avoid MD5, SHA1, or custom encryption — use modern, vetted algorithms.
  • Don't Roll Your Own Security
    Use standard libraries for crypto, authentication, and sessions — don't invent your own.
  • Don't Ignore Security Warnings
    Fix security warnings and code smells flagged by tools or linters.
  • Don't Expose Detailed Error Messages to Users
    Stack traces and debug logs can help attackers.
  • Don't Assume Internal Systems Are Safe
    Apply the same security controls internally as externally (Zero Trust mindset).
  • Don't Mix Code and Configuration
    Keep credentials and config outside of your codebase, preferably in a secrets manager.
  • Don't Forget to Log Out/Invalidate Sessions
    Ensure proper session termination and token revocation on logout or user changes.