Blog | Khaled Dev

TL;DR

Summary

These vulnerabilities come from the OWASP Top 10 — the industry standard checklist for web application security. If you're not checking for these, your app is at risk.

1 — SQL Injection

An attacker sends malicious SQL in an input field. If your code builds queries with string concatenation, the attacker can read, modify, or delete your entire database.

❌ Vulnerable Code

# NEVER do this
query = f"SELECT * FROM users WHERE username = '{username}'"
# Attacker inputs: ' OR '1'='1
# Result: returns ALL users

✅ Safe Code (Parameterized Query)

# Always use parameterized queries
cursor.execute("SELECT * FROM users WHERE username = %s", [username])

# With Django ORM (automatically safe)
User.objects.filter(username=username)

2 — XSS (Cross-Site Scripting)

An attacker injects JavaScript into your page. When another user visits it, the script runs — stealing cookies, redirecting, or defacing the page.

❌ Vulnerable / ✅ Safe

// ❌ NEVER inject raw user content into HTML
element.innerHTML = userInput;

// ✅ SAFE — escape HTML entities
element.textContent = userInput;

// ✅ SAFE in React (automatic escaping)
return <div>{userInput}</div>;

// Django templates are safe by default
{{ user_input }}  {# Auto-escaped #}
{{ user_input|safe }}  {# Dangerous! Only use for trusted content #}

3 — Broken Authentication

Weak passwords, no rate limiting on login, sessions that never expire, JWT tokens stored in localStorage. These let attackers take over accounts.

Use bcrypt/argon2 for passwords. Set short JWT expiry (15min access + 7day refresh). Rate limit login attempts. Use HTTPS always.

4 — Sensitive Data Exposure

Passwords in plain text in logs. API keys in GitHub repos. Credit cards in unencrypted databases. Environment variables hardcoded in code.

✅ Secure Environment Handling

# .env file (NEVER commit this)
SECRET_KEY=your-secret-key
DATABASE_URL=postgresql://...
STRIPE_KEY=sk_live_...

# .gitignore — always include
.env
*.env
.env.local

# Load safely in Python
from decouple import config
SECRET_KEY = config('SECRET_KEY')

5 — Security Misconfiguration

DEBUG=True in production. Default admin credentials. Open S3 buckets. These are the most common mistakes by Tunisian developers deploying their first VPS.

Production checklist: DEBUG=False, strong SECRET_KEY, ALLOWED_HOSTS set, HTTPS enforced, admin URL changed, unnecessary ports closed.

Protect Yourself

Security isn't a feature you add at the end — it's a habit you build from the start. These 5 vulnerabilities cover 80% of real-world attacks. Know them, fix them, and you'll be ahead of most developers.

Sécurité OWASP XSS SQL Injection DevSecOps Python Django

Article