Secure coding¶
Every entry point in an application is a potential trust boundary. The pages here address the coding-level controls that prevent common vulnerability classes: input validation, output encoding, authentication, access control, and the framework-specific defaults that determine whether a stack is safe or dangerous out of the box. Most of what appears in security reviews is not novel. It is familiar patterns in unfamiliar code.
A vulnerability is usually a recognisable pattern. Finding it requires looking deliberately.
- Input validation
- Output encoding
- Authentication
- Caching security
- File upload security
- JavaScript security
- Python security patterns
- Broken access control
- Application logic security
- Clickjacking
- CORS and same-origin policy
- Cross-site request forgery
- Information disclosure
- HTTP Host header injection
- Insecure direct object references
- Path traversal
- Race conditions
- Command injection and unsafe deserialization
- Open redirects
- Server-side request forgery (SSRF)
- HTTP request smuggling
- WebSocket security
- Single sign-on security
- Secrets in version control
- Cross-site scripting (XSS)
- XML external entity injection