Security is not a feature you add after launch. It's an engineering discipline you apply from the first line of code. The OWASP Top 10 is the best starting point — here's how to actually fix each one.
1. Broken Access Control
The most common vulnerability in 2025. Users access resources they shouldn't. Fix: enforce authorisation server-side on every request. Never rely on client-side checks. Use attribute-based access control (ABAC) rather than role-based where possible. Test with automated tools like OWASP ZAP on every deployment.
2. Cryptographic Failures
Sensitive data transmitted or stored without adequate encryption. Fix: TLS 1.3 everywhere, including internal services. Hash passwords with Argon2id (not MD5, not SHA-1, not bcrypt). Encrypt PII at rest using AES-256-GCM. Never roll your own crypto.
3. Injection
SQL, NoSQL, command, and LDAP injection remain common. Fix: use parameterised queries exclusively. With an ORM like Prisma or Drizzle, raw SQL is rarely needed — but when it is, always use parameterised form. Validate and sanitise all input at the boundary.
4. Insecure Design
Security flaws baked into the architecture, not the implementation. Fix: threat model every new feature before writing code. Use secure design patterns. Build rate limiting, account lockout, and abuse detection into the design, not as an afterthought.
5. Security Misconfiguration
Default credentials, open cloud storage, verbose error messages. Fix: infrastructure as code with security baselines. Disable all default accounts. Return generic error messages to clients. Run automated configuration scanning (Prowler for AWS, kube-bench for Kubernetes).
6. Vulnerable Components
Your application is only as secure as its dependencies. Fix: run npm audit in CI and fail on high severity. Use Dependabot or Renovate for automated dependency updates. Pin dependency versions in production.
7. Authentication Failures
Weak passwords, credential stuffing, session fixation. Fix: enforce strong passwords or passkeys. Implement MFA. Rotate session tokens after login. Use short-lived JWTs with refresh token rotation. Rate limit authentication endpoints with exponential backoff.
8. Integrity Failures
Deserialization of untrusted data, CI/CD pipeline attacks. Fix: verify integrity of all downloaded dependencies with checksums. Sign deployment artifacts. Protect your CI/CD pipeline — it's a privileged execution environment. Use Sigstore for supply chain security.
9. Logging Failures
Insufficient logging means breaches go undetected. Fix: log all authentication events, access control failures, and input validation errors. Ship logs to a centralised SIEM. Alert on anomalies — multiple failed logins, unusual data exports, off-hours access.
10. SSRF
Server-side request forgery allows attackers to make the server fetch arbitrary URLs, including cloud metadata endpoints. Fix: validate and whitelist all URLs before fetching. Block access to private IP ranges. Disable HTTP redirects in internal fetch calls.