Top 10 Web Securities

3 min readJan 20, 2021

Hello my dear friends, hope you all are safe and sound in this pandemic situation.

I would like to thank all my readers who have reached this article for the first time and many thanks to those who have reached here once again.

Today we will discuss about Top 10 Web Securities we must have to implement in our website before going live.

Let’s start…

1. Properly sanitize your input data

You need to take care of all of your inputs taken from users. It can be GET or POST you must have to sanitize it before using it. Similar to this pandemic situation, how we sanitize our hands before using it. As viruses can harm our body similarly if we do not properly sanitize our input data it can harm our application. There are different techniques in different technologies for sanitization. You need to check once and apply the same.

2.Never share session-id in the response body

You need to take care of your application’s session id. It should not be passed by the response body. How dangerous it can be, let’s see a use case. If you copy the session id of an admin user and paste it in the corresponding Cookie variable you can access any admin accounts and get all privileges. Not only session id, but you must also take care of any sensitive information that should not be passed through the response body.

3.Disable directory index

You must disable the directory index option before sharing your application to your users. An attacker can easily access your physical directories and their contents. It will be very easy for him to extract all important query logs and other information from your directory index. So it’s a must to disabled the directory index option.

In Apache Virtual Host: <Directory /var/www/public_html> Options -Indexes

Or, in the .htaccess file: Options -Indexes

4.Regenerate Session ID

You need to regenerate your session id and assign it immediately after a user authenticates to the application and make sure the Cookie value should be passed through the URL. By this it can be ensured before user authentication no one can gain access to Cookie.

5.Concurrent Sign-In

Though it completely the application requirement but if possible avoid concurrent sign-in option especially for the privileged logins.

6.Apply Limiters

If your application sends emails to your users, just keep in mind that there must be some limit for the users on how many emails that user can send per day. Obviously, that is a call to discuss with your stakeholders but you as an application developer try to impose a limit on any situation where the application sends emails. Otherwise, it can flood the database if an attacker gains this access.


If your application uses an iframe or not you must have to set an X-FRAMES-OPTIONS response header and the value must be SAMEORIGIN or DENY to prevent framing options.

8.HTTPOnly Flag on session cookies

The session cookie must have an HttpOnly attribute set to prevent access of cookies via scripts. In php.ini, you can set session.cookie_httponly = True

9.Invalid Login Message

In login functionality whatever may be the reason, the login fails your message should always say ‘Invalid Credentials’ or ‘Invalid Username/Password’ or something like that by which it can not be determined which field is actually incorrect whether it is username or password. So that anybody can’t speculate on the fields and trying combinations to hit the login function.

10. Disable ServerSignature

To disable the server signature you need to set the below lines at the apache configuration file ServerSignature Off ServerTokens Prod

This is not the end, we will come back with more such important notes. Just keep reading our other articles.

Till then connect with us on Facebook, Twitter, Linked In, and other social channels.

Thank You Very Much…

Originally published at