After this lesson, you will be able to: Apply input validation, safe error handling, and supply-chain hygiene to real code.
Most AppSec is patterns, not magic. This lesson is the developer's checklist: the small habits that, applied consistently, eliminate whole classes of bugs.
Validation = 'is this input shaped right?' (allow-list, length limits, type checks). Do this when input enters your system. Sanitization = 'render this safely for its destination' (HTML-escape, parameterize, etc.). Do this where the data is used. Mixing the two roles up causes both bugs and over-engineering.
Verbose error messages leak file paths, SQL queries, stack traces, gold for attackers. Production errors should log full detail server-side and return a generic message + a request ID to the user. Never include the raw stack trace in an HTTP response in production.
Three habits that prevent dozens of bugs.
// 1. Never trust client-side validation// (the server MUST validate too, clients can be tampered with)// 2. Use parameterized queries everywhereconst user = await db.query('SELECT * FROM users WHERE id = $1', [userId]);// 3. Allow-list for redirectsconst safe = new URL(redirect);if (!['app.example.com'].includes(safe.host)) throw new Error('bad redirect');
API keys, DB passwords, JWT secrets, never in code, never in logs. Use environment variables for development; use a secrets manager (AWS Secrets Manager, HashiCorp Vault) for production. Rotate secrets periodically and on suspected compromise. A leaked secret in a public GitHub repo is the most common 'oops' breach origin.
Pick the right answer.
Sign in and purchase access to unlock this lesson.