Security Basics Every Product Team Should Ship With

Apr 02, 2024 · 6 min read · Security & Best Practices

Security checklist overlayed on app UI
Aamer Rasheed
Aamer Rasheed , Founder Digital Sensei Technologies
Author • Digital Sensei Technologies

Security is a product feature. Ship a baseline from day one to protect users and avoid costly emergencies later.

1) Secure authentication & session management

  • Password hashing: never store plain text; use bcrypt or Argon2.
  • Token storage: web → HTTP-only, Secure cookies (avoid localStorage for tokens).
  • Short-lived access + refresh rotation: rotate refresh tokens on use.
  • MFA: at least for admins/sensitive actions.
  • Lockout/rate limit: throttle repeated login failures.

2) Input validation & sanitization

  • Validate on the server (Joi, Zod, class-validator).
  • Sanitize to prevent injection/XSS; avoid string-built queries.
  • Validate outputs for critical integrations.

3) Secure communication (TLS/HTTPS) & headers

  • Force HTTPS; enable HSTS; use modern TLS suites.
  • Apply Helmet (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).

4) Least privilege & RBAC

  • Scope service permissions minimally.
  • Enforce roles/permissions on every API and UI action.
  • Separate internal vs public APIs; restrict access paths.

5) Rate limiting, throttling & abuse protection

  • Per-user/IP limits on public endpoints (login, reset, search).
  • Captcha or progressive delays for signup/login abuse.
  • Prefer upstream enforcement (gateway/proxy) where possible.

6) Configuration & secrets management

  • Do not commit secrets; use env vars or secret managers.
  • Encrypt in transit and at rest; rotate keys regularly.
  • Use least-privilege service accounts.

7) Dependency & supply-chain security

  • Audit (npm audit, Snyk) and patch promptly.
  • Pin versions; remove unused or vulnerable packages.
  • Fail CI on critical vulnerabilities.

8) Logging, monitoring & incident readiness

  • Structured logs (JSON) with context: request/user IDs, IP, route.
  • Alert on anomalies: spikes in 401/403/5xx, traffic bursts.
  • Maintain an incident playbook (breach, data leak, key leak, rotation steps, contacts).

9) Data encryption & classification

  • Encrypt/hash PII and sensitive fields; consider field-level encryption/tokenization.
  • Mask sensitive data in logs.
  • Classify data (public/internal/confidential) and enforce handling rules.

10) Reviews, threat modeling & audits

  • Threat model at design time (actors, entry points, trust boundaries).
  • Security code reviews before release; periodic pen tests.
  • Re-run security tests routinely to catch regressions.

From my projects

Marketplace: RBAC (buyer/seller/admin), HTTP-only cookies, rate-limited login/search, dependency audits. Clinic voice assistant: encrypted logs, restricted access via secure APIs, regular key rotation.

Start here , quick checklist

  • Add server-side validation/sanitization to one endpoint.
  • Force HTTPS + Helmet.
  • Enable rate limits on login.
  • Remove console.log in production builds.
  • Run a dependency audit and patch one critical item.