Why Security Is a Developer Responsibility
Security is not just the job of a dedicated security team — every developer makes dozens of security-relevant decisions every day. From choosing a hashing algorithm to setting HTTP headers, the choices you make in code directly determine how resilient your application is to attack. This checklist covers the essentials.
1. Use Strong, Unique Passwords
Service accounts, database users, and admin panels all need strong passwords. Use a Password Generator to create passwords with at least 16 characters, mixing upper/lowercase letters, digits, and symbols. Never reuse passwords across environments.
2. Hash Passwords Properly
Never store passwords in plain text. Use a slow, salted hashing algorithm like bcrypt, scrypt, or Argon2. Fast algorithms like MD5 or SHA-256 are not suitable for password hashing because they can be brute-forced quickly. You can use our Hash Generator to see how different algorithms produce different outputs for the same input.
3. Validate and Sanitize All Input
Every piece of user input — form fields, URL parameters, headers, file uploads — is a potential attack vector. Validate input on the server side (client-side validation is for UX, not security). Use allowlists over denylists wherever possible.
// Allowlist approach — only permit expected values
const ALLOWED_SORT = ["name", "date", "price"];
const sort = ALLOWED_SORT.includes(input) ? input : "date";
// Sanitize HTML to prevent XSS
import DOMPurify from "dompurify";
const clean = DOMPurify.sanitize(userInput);4. Implement Proper Authentication
Use industry-standard protocols like OAuth 2.0 and OpenID Connect. If you issue JWTs, make sure to validate signatures on every request, check expiration times, and use short-lived tokens. Our JWT Decoder lets you quickly inspect a token's claims and verify its structure during development.
5. Set Security Headers
HTTP response headers are a low-effort, high-impact defense layer. At a minimum, set these headers on every response:
- Content-Security-Policy — Mitigates XSS by controlling which resources the browser can load.
- Strict-Transport-Security — Forces HTTPS for all future requests.
- X-Content-Type-Options: nosniff — Prevents MIME-type sniffing.
- X-Frame-Options: DENY — Prevents clickjacking.
- Referrer-Policy: strict-origin-when-cross-origin — Limits referrer information leakage.
6. Enforce HTTPS Everywhere
All communication between client and server must use TLS. This is non-negotiable in 2025. Modern hosting platforms (Vercel, Cloudflare, Netlify) provide free TLS certificates automatically. Set Strict-Transport-Security headers and redirect all HTTP traffic to HTTPS.
7. Keep Dependencies Updated
Outdated dependencies are one of the most common attack vectors. Run npm audit (or the equivalent for your package manager) regularly and automate dependency updates with tools like Dependabot or Renovate.
# Check for known vulnerabilities
npm audit
# Fix automatically where possible
npm audit fix8. Use Environment Variables for Secrets
API keys, database credentials, and encryption keys should never appear in source code or version control. Store them in environment variables and access them via process.env. Use tools like Base64 Encoder when you need to encode complex values for environment variable storage.
9. Implement Rate Limiting
Protect your API endpoints from brute-force attacks and abuse by implementing rate limiting. Start with conservative limits (e.g., 100 requests per minute per IP) and adjust based on legitimate usage patterns.
10. Log and Monitor
You cannot defend against what you cannot see. Log authentication attempts, authorization failures, and unusual request patterns. Set up alerts for anomalies so you can respond quickly.
Your Security Checklist
- Strong passwords for all accounts — generate them here
- Passwords hashed with bcrypt/scrypt/Argon2
- Server-side input validation on every endpoint
- JWT tokens validated and short-lived — inspect tokens here
- Security headers set on all responses
- HTTPS enforced with HSTS
- Dependencies audited regularly
- Secrets stored in environment variables, never in code
- Rate limiting on authentication and API endpoints
- Logging and monitoring in place