Security Is Not a Feature You Add Later
The most persistent misconception in web development is that security can be retrofitted — that you build the thing first and then add security once it’s working. In practice, the vulnerabilities that cause real-world breaches are usually baked into the architecture early and expensive to remove later. The good news is that the most common attacks are well-understood and preventable with relatively basic practices.
SQL Injection: Still Surprisingly Common
SQL injection — the attack where malicious input alters the database query a web application intends to run — has been a top web vulnerability for years. It’s entirely preventable and yet still accounts for a significant proportion of real-world breaches. The fix is parameterised queries: instead of building a query string by concatenating user input, you use placeholders and let the database driver handle the escaping. Any modern database library makes this easy; doing it wrong requires active effort.
The beginner mistake is building queries by concatenating user-supplied strings directly. A malicious input can turn an intended query into one that returns all records, deletes data, or bypasses authentication entirely. Parameterised queries prevent this completely, with no performance cost.
Storing Passwords Incorrectly
Storing passwords in plaintext is the most catastrophic password mistake, but storing them with weak or reversible hashing like MD5 or SHA-1 without salt is nearly as bad. The correct approach is to use a dedicated password hashing function like bcrypt, scrypt, or Argon2, which are specifically designed to be slow and to incorporate per-password salt to prevent rainbow table attacks. Most web frameworks include password hashing utilities that implement this correctly. If you find yourself writing your own hashing logic, stop — use the library.
Cross-Site Scripting (XSS)
XSS attacks occur when user-supplied content is rendered as HTML without being escaped, allowing an attacker to inject JavaScript that runs in other users’ browsers. The consequences range from session hijacking to complete account takeover. The prevention is output escaping: when rendering user-supplied content in HTML, escape characters so they display as text rather than executing as markup. Modern templating systems do this automatically by default. The vulnerability arises when developers bypass the escaping without understanding why it exists.
Sensitive Data in the Wrong Places
API keys, database passwords, and secret tokens don’t belong in source code — they belong in environment variables or a secrets manager. Yet beginners routinely commit credentials to version control, where they can be found almost immediately by automated scanners. The fix is simple: use .env files locally and environment variables in production, and add .env to your .gitignore at the start of every project, not after the credentials have already been committed.
Missing HTTPS and Broken Authentication
Serving a web application over HTTP rather than HTTPS means all traffic — including login credentials — is transmitted in plaintext and can be intercepted on shared networks. HTTPS with a valid certificate is now free via Let’s Encrypt and is standard for any production application. Authentication mistakes compound this: session tokens that don’t expire, no rate limiting on login attempts, and JWT tokens whose signatures aren’t verified are all common beginner errors that translate directly into exploitable vulnerabilities.
The Mindset Shift That Matters
Security requires thinking adversarially: what does this code look like to someone who wants to break it? Every input is potentially malicious. Every piece of data from an external source is potentially hostile. This isn’t paranoia; it’s the realistic model of how attacks happen. Building this perspective in early — rather than treating it as an advanced topic for later — is the difference between systems that hold up and systems that get breached.
Watch: Related Video
Sources
- OWASP Foundation. (2021). OWASP Top Ten. owasp.org/www-project-top-ten.
- Stuttard, D., and Pinto, M. (2011). The Web Application Hacker’s Handbook. Wiley.
- Let’s Encrypt. (2024). About Let’s Encrypt. letsencrypt.org/about.