100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

Secure Coding Practices Cheat Sheet

Secure Coding Practices Cheat Sheet

Language-agnostic patterns for input validation, output encoding, secrets handling, and common vulnerability prevention.

3 PagesIntermediateJan 30, 2026

Parameterized Queries (SQL Injection)

Never concatenate user input into SQL; always bind parameters.

python
# BAD - vulnerable to SQL injectioncursor.execute(f"SELECT * FROM users WHERE email = '{email}'")# GOOD - parameterized, driver handles escapingcursor.execute("SELECT * FROM users WHERE email = %s", (email,))

Output Encoding (XSS)

Encode context-appropriately when injecting untrusted data into HTML.

javascript
// BAD - raw HTML injectionelement.innerHTML = userComment;// GOOD - text content is auto-escapedelement.textContent = userComment;// If HTML is required, sanitize with an allowlist-based libraryimport DOMPurify from "dompurify";element.innerHTML = DOMPurify.sanitize(userComment);

Secrets Handling

Never hardcode secrets; load them from a vault or the environment at runtime.

bash
# BAD - committed to source control# api_key = "sk-live-abc123..."# GOOD - injected at runtime from a secrets managerexport DB_PASSWORD=$(aws secretsmanager get-secret-value \  --secret-id prod/db/password --query SecretString --output text)# Add a pre-commit hook to catch accidental leakspip install detect-secrets && detect-secrets scan > .secrets.baseline

Secure Coding Checklist

The recurring vulnerability classes to design against from day one.

  • Injection- parameterize SQL/NoSQL/shell commands, never string-build queries
  • Broken auth- use vetted libraries for hashing (argon2/bcrypt) and session mgmt
  • Deserialization- never deserialize untrusted data with pickle/yaml.load/eval
  • Path traversal- resolve and validate file paths against an allowlisted base dir
  • SSRF- validate/allowlist outbound URLs before the server fetches them
  • Least privilege- run processes and DB users with the minimum grants needed
  • Error handling- log stack traces internally, return generic errors to clients
Pro Tip

Push validation and encoding to the framework/library level (ORM parameter binding, templating auto-escape, a schema validator) instead of relying on developers to remember it per call site — the vulnerability classes that survive years in production are almost always the ones left to manual discipline.

Was this cheat sheet helpful?

Explore Topics

#SecureCodingPractices#SecureCodingPracticesCheatSheet#Cybersecurity#Intermediate#Parameterized#Queries#SQL#Injection#Security#CheatSheet#SkillVeris