Security Checklist for Web Applications in 2026

Why this checklist exists

Most web application breaches exploit known vulnerabilities with known fixes. The OWASP Top 10 has not changed dramatically in a decade because the same mistakes keep being made. This checklist covers the controls that prevent the overwhelming majority of attacks — from someone building their first SaaS to an engineering team scaling to enterprise clients.

Authentication & Session Management

• Enforce strong password policies: Minimum 12 characters, check against known-breached password lists (Have I Been Pwned API).
• Implement MFA: TOTP (Google Authenticator) or passkeys for all accounts with privileged access.
• Use short-lived JWTs: Access tokens expire in 15 minutes. Refresh tokens in httpOnly, Secure, SameSite=Strict cookies.
• Rate limit authentication endpoints: 5 failed attempts triggers a 15-minute lockout. Log all failures.
• Invalidate sessions on logout: Obvious but frequently missed in SPAs.

Input Validation & Output Encoding

• Validate all input server-side: Type, length, format, and allowed values. Client-side validation is UX, not security.
• Use parameterized queries: Never concatenate user input into SQL strings. Use an ORM or prepared statements.
• Encode output in context: HTML encoding for DOM insertion, JSON encoding for API responses, URL encoding for query parameters.
• Implement Content Security Policy: A strict CSP header prevents XSS even when input validation fails.

API Security

• Authenticate every endpoint: No endpoint is public by default. Explicit allow-list for public routes.
• Implement authorization checks: Verify the authenticated user has permission to access the requested resource (BOLA/IDOR prevention).
• Rate limit all endpoints: Not just authentication. Compute-intensive endpoints need stricter limits.
• Validate Content-Type: Reject requests with unexpected content types. Prevents certain injection attacks.
• Never expose internal errors: Return generic error messages to clients. Log the full error server-side.

Data Protection

• Encrypt data at rest: Database encryption enabled. Sensitive fields (PII, payment data) encrypted at the application layer.
• Enforce HTTPS everywhere: HSTS header with a minimum 1-year max-age. No HTTP fallback.
• Never log sensitive data: Passwords, tokens, credit card numbers, and SSNs must never appear in logs.
• Implement data minimization: Collect only what you need. Delete what you no longer need.

Infrastructure & Dependency Management

• Automate dependency updates: Use Dependabot or Renovate. Known vulnerable packages are a common attack vector.
• Scan container images: Run Trivy or Snyk on every image build. Block deployment of images with critical CVEs.

The 20% that prevents 80% of breaches

If you implement only five things from this list, make them: parameterized queries, MFA for privileged accounts, short-lived tokens in httpOnly cookies, rate limiting on auth endpoints, and dependency automation. These five controls eliminate the most common attack paths in 2026.

Security at Rivas Technologies

Every application we build ships with this checklist implemented by default. Security is not a phase at the end of a project — it's an architecture constraint from day one. We also offer security audits for existing applications, identifying vulnerabilities before attackers do.