Web Security Fundamentals 2026: A Developer Complete Guide

Stored XSS

The payload is persisted on the server (e.g., in a comment, user bio) and served to every visitor.

Web Security Fundamentals 2026: A Developer Complete Guide

Example: A comment containing

DOM-Based XSS

The vulnerability lives entirely in client-side JavaScript. The server response is clean, but the browser executes attacker-controlled input via innerHTML, document.write, or eval.

// VULNERABLE — DOM XSS

const name = new URLSearchParams(window.location.search).get('name');

document.getElementById('greeting').innerHTML = Hello, ${name};

// SAFE — use textContent, not innerHTML

document.getElementById('greeting').textContent = Hello, ${name};

XSS Prevention Table

| Context | Safe Approach | Dangerous Approach |

|---------|--------------|-------------------|

| HTML body | textContent, template escaping | innerHTML, outerHTML |

| HTML attribute | setAttribute() with safe values | String concatenation into onclick or href |

| JavaScript string | JSON.stringify + proper encoding | Direct concatenation into eval or setTimeout string |

| CSS | Use CSS custom properties | Dynamic url() or expression() |

| URL | Validate against allowlist | javascript: URLs in `` |

Defense in depth: CSP + output encoding + input validation. No single layer is enough.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\---

7\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. HTTPS/TLS Fundamentals

HTTPS is non-negotiable in 2026. Every site should be HTTPS-only with HSTS.

What Every Developer Needs to Know

| Concept | What It Means | |---------|---------------| | TLS 1.3 | Current standard. Faster handshake, removed insecure ciphers. | | Certificate validation | The client verifies the cert chain against trusted CAs | | SNI | Server Name Indication — lets one server host multiple TLS certs | | HSTS | HTTP Strict Transport Security — tells browsers to always use HTTPS | | OCSP Stapling | Server sends proof of cert validity during handshake |

Setting Up HSTS

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

max-age in seconds (2 years = 63072000)
includeSubDomains — covers all subdomains
preload — submit your domain to browser preload lists

Redirect HTTP to HTTPS

// Express.js

app.use((req, res, next) => {

if (!req.secure && req.headers['x-forwarded-proto'] !== 'https') {

return res.redirect(301, https://${req.headers.host}${req.url});

}

next();

});

TLS Configuration Check (2026 Minimum)

nginx TLS config — modern profile

ssl_protocols TLSv1.2 TLSv1.3;

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;

ssl_prefer_server_ciphers off;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 1d;

ssl_session_tickets off;

ssl_stapling on;

ssl_stapling_verify on;

Test your TLS setup with: openssl s_client -connect example.com:443 -tls1_3

8\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Dependency Scanning and SBOM

Supply chain attacks are the fastest-growing threat vector. In 2026, the US Executive Order on cybersecurity and global regulations require Software Bills of Materials (SBOM) for production software.

Dependency Scanning Tools

| Tool | Scope | Integration | |------|-------|-------------| | npm audit / yarn audit | Node.js packages | CI/CD pipeline gate | | pip-audit | Python packages | pre-commit hooks | | trivy | Containers, OS packages, IaC | GitHub Actions, GitLab CI | | snyk | Multi-language, container | PR checks | | dependabot | GitHub-hosted repos | Auto-PRs for vulnerable deps | | grype | Containers, filesystem | Fast, free, OSS |

Running a Scan in CI

.github/workflows/security-scan.yml

name: Security Scan

on: [push, pull_request]

jobs:

scan:

runs-on: ubuntu-latest

steps:

uses: aquasecurity/trivy-action@master

with:

scan-type: 'fs'

scan-ref: '.'

format: 'sarif'

output: 'trivy-results.sarif'

uses: anchore/sbom-action@v0

with:

format: 'spdx-json'

output-file: 'sbom.spdx.json'

What Goes Into an SBOM

{

"bomFormat": "CycloneDX",

"specVersion": "1.5",

"metadata": {

"component": {

"name": "my-app",

"version": "1.2.3",

"type": "application"

}

"components": [

{

"name": "express",

"version": "4.18.2",

"type": "library",

"purl": "pkg:npm/express@4.18.2"

}

]

}

Action item: Run pip freeze > requirements.txt or npm list --json > deps.json and pipe it through an SBOM generator in your CI pipeline. Store the SBOM alongside your release artifact.

9\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Security Headers Checklist

Apply these HTTP response headers to every page and every API response.

| Header | Value | Purpose | |--------|-------|---------| | Strict-Transport-Security | max-age=63072000; includeSubDomains | Enforce HTTPS | | Content-Security-Policy | See Section 3 | Prevent XSS and data injection | | X-Content-Type-Options | nosniff | Prevent MIME type sniffing | | X-Frame-Options | DENY | Prevent clickjacking | | X-XSS-Protection | 0 | Disable legacy XSS filter (does more harm than good) | | Referrer-Policy | strict-origin-when-cross-origin | Control referrer data leakage | | Permissions-Policy | camera=(), microphone=(), geolocation=() | Restrict browser API access | | Cache-Control | no-store, no-cache, must-revalidate | Prevent sensitive data caching |

Apply Them in One Shot

// Express.js helmet — sets most security headers automatically

const helmet = require('helmet');

app.use(helmet());

// Or set manually for fine control

app.use((req, res, next) => {

res.setHeader('X-Content-Type-Options', 'nosniff');

res.setHeader('X-Frame-Options', 'DENY');

res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');

res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');

next();

});

FastAPI with SecureHeaders middleware

from secure import SecureHeaders

secure_headers = SecureHeaders()

@app.middleware("http")

async def add_security_headers(request, call_next):

response = await call_next(request)

secure_headers.framework.fastapi(response)

return response

10\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. API Security Basics

APIs are the backbone of modern web applications and a prime attack target.

Rate Limiting

// Express.js with express-rate-limit

const rateLimit = require('express-rate-limit');

const globalLimiter = rateLimit({

windowMs: 15 * 60 * 1000, // 15 minutes

max: 100, // limit each IP

standardHeaders: true,

legacyHeaders: false,

message: { error: 'Too many requests' }

});

const authLimiter = rateLimit({

windowMs: 60 * 1000, // 1 minute

max: 5, // 5 attempts per minute

message: { error: 'Too many auth attempts' }

});

app.use('/api/', globalLimiter);

app.use('/api/auth/login', authLimiter);

Input Validation

Use a schema validation library. Never trust incoming data.

// Zod validation — reject unexpected fields and bad types

const { z } = require('zod');

const CreateUserSchema = z.object({

email: z.string().email(),

password: z.string().min(12).max(128),

role: z.enum(['user', 'admin']).default('user'),

}).strict(); // strips or rejects extra fields

app.post('/api/users', (req, res) => {

const parsed = CreateUserSchema.parse(req.body);

// parsed is now type-safe and validated

});

Proper Error Handling

Never leak stack traces, database schemas, or internal paths to API consumers.

BAD — leaks internals

@app.exception_handler(Exception)

async def debug_error(request, exc):

return JSONResponse(

status_code=500,

content={"error": str(exc), "traceback": traceback.format_exc()}

)

GOOD — sanitized errors with logging

import logging

logger = logging.getLogger(name)

@app.exception_handler(HTTPException)

async def http_error(request, exc):

return JSONResponse(

status_code=exc.status_code,

content={"error": exc.detail}

)

@app.exception_handler(Exception)

async def generic_error(request, exc):

logger.error("Internal error", exc_info=True)

return JSONResponse(

status_code=500,

content={"error": "An internal error occurred"}

)

API Security Checklist

[ ] Rate limiting on all endpoints (stricter on auth)
[ ] Input validation with schema library (Zod, Pydantic, Marshmallow)
[ ] Structured error responses — no stack traces
[ ] Authentication on every endpoint (no unprotected internal routes)
[ ] Audit logging for sensitive operations
[ ] Request size limits (body-parser limit option, nginx client_max_body_size)
[ ] API keys stored server-side only, rotated regularly
[ ] UUIDs instead of auto-increment IDs in URLs

11\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Production Security Checklist

A practical runbook to harden any web application before launch.

Infrastructure

[ ] All traffic is HTTPS (HSTS preloaded)
[ ] TLS 1.2 minimum, TLS 1.3 preferred
[ ] No default credentials on any service (database, Redis, admin panels)
[ ] Database is not publicly accessible (private subnet / VPC)
[ ] Secrets stored in a vault / secrets manager (not in .env files in repos)
[ ] Container images scanned for CVEs before deployment

Application

[ ] All user input is validated and sanitized
[ ] Parameterized queries everywhere — no SQL string concatenation
[ ] Authentication uses short-lived tokens with rotation
[ ] Session tokens stored in HTTP-only, Secure, SameSite cookies
[ ] CSP header is enforced (not just report-only)
[ ] CORS origins are explicitly whitelisted
[ ] File uploads are restricted to allowed types and scanned
[ ] File uploads stored outside the web root with random filenames
[ ] IDs are UUIDs not sequential integers
[ ] Logs contain no PII, tokens, or passwords
[ ] Rate limiting is active on all endpoints

Process

[ ] Dependency scanning runs on every PR
[ ] SBOM is generated with each release
[ ] Secrets scanning (e.g., git secrets, truffleHog) in CI
[ ] Regular penetration tests (at least annually)
[ ] Incident response plan documented
[ ] Dependabot or Renovate configured for auto-updates

Conclusion

Web security in 2026 is about layers. No single header, library, or practice will protect your application. The combination of CSP + parameterized queries + short-lived tokens + dependency scanning + proper CORS configuration + HSTS creates a defense-in-depth posture that raises the bar for attackers.

Start with the production checklist above and work through each item. Automate everything you can — security scanning in CI, dependency updates, SBOM generation. The goal is not perfect security (it does not exist), but rather making your application resilient enough that attackers move on to an easier target.

Remember: security is not a one-time audit. It is a continuous practice embedded into your development workflow. Ship safely.

Last updated: May 2026

Web Security Fundamentals 2026: A Developer Complete Guide

Stored XSS

DOM-Based XSS

XSS Prevention Table

nginx TLS config — modern profile

.github/workflows/security-scan.yml

FastAPI with SecureHeaders middleware

BAD — leaks internals

GOOD — sanitized errors with logging

Related Articles