Security Hardening and Secure Coding

OWASP Top 10 (2021) -- Overview and Practical Mitigations

A01: Broken Access Control

• Deny by default. Enforce server-side authorization on every request.
• Use RBAC or ABAC. Disable directory listing. Log repeated access-control failures.

A02: Cryptographic Failures

• Encrypt PII at rest (AES-256-GCM) and in transit (TLS 1.2+).
• Hash passwords with bcrypt, scrypt, or Argon2id. Rotate encryption keys on schedule.

A03: Injection

• Use parameterized queries or prepared statements for all database access.
• Validate and sanitize every input server-side. Use ORMs with parameterized bindings.

A04: Insecure Design

• Threat model (STRIDE, DREAD) during design. Apply least privilege, defense in depth, fail-safe defaults.