Secure Coding Practices Cheat Sheet
Language-agnostic patterns for input validation, output encoding, secrets handling, and common vulnerability prevention.
3 PagesIntermediateJan 30, 2026
Parameterized Queries (SQL Injection)
Never concatenate user input into SQL; always bind parameters.
python
# BAD - vulnerable to SQL injectioncursor.execute(f"SELECT * FROM users WHERE email = '{email}'")# GOOD - parameterized, driver handles escapingcursor.execute("SELECT * FROM users WHERE email = %s", (email,))
Output Encoding (XSS)
Encode context-appropriately when injecting untrusted data into HTML.
javascript
// BAD - raw HTML injectionelement.innerHTML = userComment;// GOOD - text content is auto-escapedelement.textContent = userComment;// If HTML is required, sanitize with an allowlist-based libraryimport DOMPurify from "dompurify";element.innerHTML = DOMPurify.sanitize(userComment);
Secrets Handling
Never hardcode secrets; load them from a vault or the environment at runtime.
bash
# BAD - committed to source control# api_key = "sk-live-abc123..."# GOOD - injected at runtime from a secrets managerexport DB_PASSWORD=$(aws secretsmanager get-secret-value \ --secret-id prod/db/password --query SecretString --output text)# Add a pre-commit hook to catch accidental leakspip install detect-secrets && detect-secrets scan > .secrets.baseline
Secure Coding Checklist
The recurring vulnerability classes to design against from day one.
- Injection- parameterize SQL/NoSQL/shell commands, never string-build queries
- Broken auth- use vetted libraries for hashing (argon2/bcrypt) and session mgmt
- Deserialization- never deserialize untrusted data with pickle/yaml.load/eval
- Path traversal- resolve and validate file paths against an allowlisted base dir
- SSRF- validate/allowlist outbound URLs before the server fetches them
- Least privilege- run processes and DB users with the minimum grants needed
- Error handling- log stack traces internally, return generic errors to clients
Pro Tip
Push validation and encoding to the framework/library level (ORM parameter binding, templating auto-escape, a schema validator) instead of relying on developers to remember it per call site — the vulnerability classes that survive years in production are almost always the ones left to manual discipline.
Was this cheat sheet helpful?
Explore Topics
#SecureCodingPractices#SecureCodingPracticesCheatSheet#Cybersecurity#Intermediate#Parameterized#Queries#SQL#Injection#Security#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance