█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Application Security/Secure Coding Practices
40 minIntermediate

Secure Coding Practices

After this lesson, you will be able to: Apply input validation, safe error handling, and supply-chain hygiene to real code.

Most AppSec is patterns, not magic. This lesson is the developer's checklist: the small habits that, applied consistently, eliminate whole classes of bugs.

Prerequisites:Authentication and Session Security in Applications

Validate at the boundary, sanitize at the sink

Validation = 'is this input shaped right?' (allow-list, length limits, type checks). Do this when input enters your system. Sanitization = 'render this safely for its destination' (HTML-escape, parameterize, etc.). Do this where the data is used. Mixing the two roles up causes both bugs and over-engineering.

Error handling without leaking

Verbose error messages leak file paths, SQL queries, stack traces, gold for attackers. Production errors should log full detail server-side and return a generic message + a request ID to the user. Never include the raw stack trace in an HTTP response in production.

💡 Supply chain, your code isn't yours alone

Your app probably depends on hundreds of npm or pip packages, each with their own dependencies. Run npm audit / pip-audit / Snyk on every CI build. Pin versions. Review what's actually in your lock file. Recent supply chain attacks (event-stream, ua-parser-js) showed that malicious updates can ship to millions in hours.

Common safe-coding patterns

Three habits that prevent dozens of bugs.

tsx
// 1. Never trust client-side validation
// (the server MUST validate too, clients can be tampered with)
// 2. Use parameterized queries everywhere
const user = await db.query('SELECT * FROM users WHERE id = $1', [userId]);
// 3. Allow-list for redirects
const safe = new URL(redirect);
if (!['app.example.com'].includes(safe.host)) throw new Error('bad redirect');

Secrets management

API keys, DB passwords, JWT secrets, never in code, never in logs. Use environment variables for development; use a secrets manager (AWS Secrets Manager, HashiCorp Vault) for production. Rotate secrets periodically and on suspected compromise. A leaked secret in a public GitHub repo is the most common 'oops' breach origin.

Quick Check

Why validate input on both client and server?

Pick the right answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Authentication and Session Security in Applications
Back to Application Security
Web Application Firewalls and Security Testing→