51 Web Application Security Tips and Tricks

Looking to protect your web apps? Why does it matter so much?

According to the global research giant Gartner, 70% of all cyber attacks happen at the web application layer. Hackers have higher motivation to attack Layer 7 because it’s critical to your business. If applications are compromised, attackers get access to your database, they can bring website down, or disrupt financial transactions.

So, what are the best ways to keep your web applications secure? Is there a checklist that you can follow? Here are 51 tips that will help you.


  1. Let’s start with the obvious. Scan all your web applications. Use an automated scanner that runs tests daily.
  2. Understand that open source code is vulnerable. Just one line of corrupt code can bring the whole website down.
  3. OWASP Top 10 is the best foundation when looking for vulnerabilities. Ensure that your tests follow this methodology.
  4. However, OWASP Top 10 is not the holy grail. You should be testing for other weaknesses such as SANS 25 and zero-day issues.
  5. Here’s is a list of free website scanners that you can use.
  6. Ensure that your plugins are free of vulnerabilities.
  7. According to 2018 Global Security Report, every web application has at least one vulnerability. Ensure that you prioritize critical issues first.
  8. Understand that automated scans have limitations. They are programmed to look for certain security loopholes and cannot function beyond that.
  9. Most free scanners in the market are useless. Look at the reports and talk to your developers to understand if the scan is worth it.
  10. If you are paying for a web application security tool, make sure that the reports are available online and provide you ROI value.
  11. Look for scanners that sync DevSecOps and cybersecurity.

Penetration Testing

  1. Advanced penetration testing is essential for critical apps.
  2. Pen testing finds business logic vulnerabilities that are unknown to an automated scanner.
  3. Manual penetration testing involves an ethical hacker trying to crack your web app just like a hacker. It’s time-consuming but comprehensive and effective.
  4. If your website is dealing with payment systems and huge customer data, schedule periodic pen testing.
  5. Always opt for a combination DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing).
  6. Most penetration testing experts also help you remediate the vulnerability. If there is something you do not understand, ask for help.
  7. Once the issues are fixed in the code, as for a review again.
  8. Always run your software on the latest patch available by the vendor.
  9. Sanitize all input field from the user. If not, it could lead to an SQL Injection attack.
  10. Penetration tests are also costly. Limit the test to critical apps only.
  11. If you have a tester in house to understand the business flow, ask them to work with developers. They can devise methods that minimize issues.
  12. Never let a developer test his own applications. That’s calling for trouble.
  13. Never show more than necessary in a error message. Hackers are smart enough to find system flaws from error messages.
  14. Use a hosting provider. It takes a lot away from your bucket.
  15. Also check your passwords. Tell employees not to go for obvious codes.
  16. Back up all your data frequently.


  1. Over 4000 malwares attacks happen every day. Is your website free of them?
  2. Google and other search engines blacklist a site in up to 48 hours if it’s infected.
  3. Here is a list of free malware scanners.
  4. Always take a backup of the data before deleting malware-infected files.
  5. Limit the types of files a user can upload to the server. If possible, scan all of the upload in real-time.

Web Application Firewall

  1. According to the Web Application Security Statistics Report, it can take over 5 months to fix critical vulnerabilities. You are open to attacks during that time.
  2. A web application firewall can help fix this problem.
  3. For those who don’t know, WAF is patches vulnerabilities without code changes. It acts as a shield to stop attackers.
  4. Unfortunately, most WAFs are dumb. They do not block anything beyond what’s programmed.
  5. Hide all the admin pages from public listings.
  6. Prohibit auto form filling.
  7. Intelligent web application firewalls are costly, but they allow you to set custom rule, country blocking, IP filtering and other benefits.
  8. Cloud WAFs are more economical and effective when compared to on-premise devices.
  9. WAF is also a PCI-DSS requirement. According to PCI DSS 6.6 clause, websites should deploy web application firewalls.
  10. Check out all the WAF logs. See how attackers try to get into your server. Learn from it.
  11. Reverse proxy ensures that your visitors get quick website loading. WAFs without reverse proxy can delay response by several seconds.
  12. Cloud WAFs allow traffic filtering with simple DNS change.
  13. A WAF when synced with Load Balancer and CDN improve website performance.
  14. Intelligent WAFs can tell difference between real visitor and a bot.

Distributed Denial-of-Service

  1. Most DDoS attacks simply try to overwhelm the server, so that your website goes down.
  2. Attacks like HTTP floods, slow attacks (e.g., Slowloris or RUDY) and DNS query flood can be stopped with WAF.
  3. CAPTCHA is the best protection from DDoS attacks.
  4. Always use HTTPS.
  5. Extortion is the primary motive behind such attacks. Never pay the hackers. Simply make a call to DDoS protection companies and reroute traffic to stop bots.
  6. WAF vendors with higher customer count can theoretically protect you better. With centralized attack block signature, you get custom rules for attacks faced by any of their clients.
Do you have anymore such tips? Leave them in the comment below.

By Ishan Mathur

From stopping hackers to getting the fastest CDN, I'm helping big and small companies choose what's best for them by building a community here.

Leave a Reply

Your email address will not be published. Required fields are marked *