SecureNow
Back to Introduction

Security Best Practices

Essential security practices every web application should follow.

Core Security Principles

1. Always Use HTTPS

HTTPS encrypts data between your server and users, preventing man-in-the-middle attacks. It's no longer optional—it's a baseline requirement.

  • • Use Let's Encrypt for free SSL certificates
  • • Redirect all HTTP traffic to HTTPS
  • • Enable HSTS to force HTTPS
  • • Use strong TLS versions (1.2+)

AI Prompt:

Please fix the "Always Use HTTPS" security issue.
The issue is: Your website is served over HTTP instead of HTTPS. This means the connection between your users and your server is not encrypted.

Make a plan and implement based on my project.

2. Implement Security Headers

Security headers protect against common attacks like XSS, clickjacking, and data injection.

  • • Content-Security-Policy: Prevent XSS attacks
  • • X-Frame-Options: Stop clickjacking
  • • X-Content-Type-Options: Prevent MIME sniffing
  • • Referrer-Policy: Control referrer information

Content Security Policy (CSP) Example

A practical CSP that balances security with modern web app needs:

default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
connect-src 'self' https://your-supabase-url.supabase.co;
img-src 'self' data: https:;
font-src 'self' data:;
frame-src https://js.stripe.com https://hooks.stripe.com;

Key directives: default-src restricts everything to same-origin, script-src allows inline scripts for frameworks like Next.js, connect-src permits API calls to external services.

AI Prompt:

Please fix the "Missing Content Security Policy" security issue.
The issue is: Your website doesn't have a Content Security Policy (CSP) header. This header tells the browser which resources are safe to load.

Make a plan and implement based on my project.

3. Never Expose Sensitive Files

Configuration files and source code should never be accessible publicly.

  • • Keep .env files out of version control
  • • Block access to .git directories
  • • Don't expose .DS_Store or config files
  • • Use .gitignore properly

AI Prompt:

Please fix the "Never Expose Sensitive Files" security issue.
The issue is: Configuration files and source code should never be accessible publicly.

Make a plan and implement based on my project.

4. Disable Debug Mode in Production

Debug information reveals internal code structure and can be exploited by attackers.

  • • Set DEBUG=false in production
  • • Use generic error pages for users
  • • Log detailed errors server-side only
  • • Remove debug endpoints before deployment

AI Prompt:

Please fix the "Disable Debug Mode in Production" security issue.
The issue is: Debug information reveals internal code structure and can be exploited by attackers.

Make a plan and implement based on my project.

5. Secure Authentication

Authentication is a prime target for attacks. Implement multiple layers of protection.

  • • Always use HTTPS for login pages
  • • Implement rate limiting
  • • Use strong password policies
  • • Enable multi-factor authentication
  • • Secure cookie flags (HttpOnly, Secure, SameSite)

AI Prompt:

Please fix the "Secure Authentication" security issue.
The issue is: Authentication is a prime target for attacks. Implement multiple layers of protection.

Make a plan and implement based on my project.

6. Configure CORS Properly

Wildcard CORS (Access-Control-Allow-Origin: *) allows any website to access your API.

  • • Specify exact allowed origins
  • • Don't use * in production
  • • Enable credentials only for trusted origins
  • • Validate Origin headers

AI Prompt:

Please fix the "Configure CORS Properly" security issue.
The issue is: Wildcard CORS (Access-Control-Allow-Origin: *) allows any website to access your API.

Make a plan and implement based on my project.

7. Hide Server Information

Server headers reveal technology stacks that attackers can use to find known vulnerabilities.

  • • Remove X-Powered-By headers
  • • Hide server version information
  • • Use security-focused reverse proxies
  • • Keep software updated

AI Prompt:

Please fix the "Hide Server Information" security issue.
The issue is: Server headers reveal technology stacks that attackers can use to find known vulnerabilities.

Make a plan and implement based on my project.

8. Restrict API Documentation Access

API documentation (Swagger, GraphiQL) should not be publicly accessible in production.

  • • Disable /docs endpoints in production
  • • Require authentication for API documentation
  • • Use separate documentation domains
  • • Remove OpenAPI/Swagger files from public paths

AI Prompt:

Please fix the "Restrict API Documentation Access" security issue.
The issue is: API documentation (Swagger, GraphiQL) should not be publicly accessible in production.

Make a plan and implement based on my project.
Quick Security Checklist

Before Deployment:

  • Enable HTTPS
  • Set security headers
  • Disable debug mode
  • Remove sensitive files
  • Configure CORS properly

After Deployment:

  • Run SecureNow scan
  • Fix all high-risk issues
  • Monitor for new vulnerabilities
  • Schedule regular scans
  • Keep dependencies updated