Web Application Security is one of the most important things today. It's constantly developing but the level of internet crimes is increasing, probably, way faster. So, at first, I want to tell you what's web application security in general. This is the protection process for online data storage against different security threats that exploit vulnerabilities in an application's code, unauthorized access. It's in common use for every data storage as an example. Besides, people have to be aware of the web application vulnerabilities, and how to protect their data, and avoid malicious traffic. Here in this list are some examples:
File inclusion and disclosure
• Don't take file names for inclusions from user input, only from trusted lists or constants;
• If user input is to be used, validate it against a whitelist. Checking if the file exists or if the input matches a certain format is not sufficient;
• Ensure the application runs with no more privileges than required.
• If you live and deliver files user-supplied file names, thoroughly validate the file names to avoid directory traversal and similar attacks and ensure the user is allowed to read the file.
File upload vulnerabilities
• Avoid unnecessary file uploads;
• Ensure that files uploaded by the user cannot be interpreted as script files by the web server, e.g. by checking the file extension (or whatever means your web server uses to identify script files);
• Consider delivering uploaded files with the "Content-disposition attachment" header.
• Use prepared statements to access the database – or – ;
• use stored procedures, accessed using appropriate language/library methods pr [reared statements;
• Always ensure DB login used by the application has only the rights that are needed
Cross-site scripting (XSS)
• Escape anything that is not a constant before it in response as close to the output as possible (i.e. right in the line containing the "echo" or "print" call);
• If not possible (e.g. when building a larger HTML block), escape when building and indicate the fact that the variable content is pre-escaped and the expected context in the name;
• Don't forget URLs in redirector scripts.
• Know the meaning of these files;
• Ensure robots.txt does not disclose "secret" paths
• Ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only;
• Prevent users from uploading/changing special files;
• Don't store plain-text passwords, store only hashes;
• Use Argon2, scrypt, bcrypt, or some other secure hashing algorithm specifically designed for secure password "storage";
• Use per-user salts;
• Limit login attempts per IP (not per user account)