CodePort.pro

Back to Blog
Security

Web Security Basics Most Startups Get Wrong

10 January 20259 min read
SecurityAuthenticationBest Practices

Most of the times I've seen a website or app get hacked, it wasn't because someone pulled off something clever. It was because of a simple mistake that had been sitting there waiting. The good news is that most of these are quick to fix once you know what to look for.

Passwords Need to Be Stored Properly

This one surprises people: your app shouldn't actually store your users' passwords. It should store a scrambled version — one that can't be unscrambled. When someone logs in, you scramble what they type and see if it matches the scrambled version you stored.

The reason this matters: if your database ever gets leaked (which happens to good companies too), the attacker gets the scrambled versions, not the real passwords. If the scrambling is done right, they're useless. If it's done badly, they're not. Use a modern, well-tested method — most good off-the-shelf login systems handle this correctly for you.

Limit How Many Times Someone Can Try to Log In

Without any limits, someone can write a program that tries thousands of passwords per minute on your login page. They don't need to guess the right one on the first try — they just need to keep trying until they get lucky.

The fix is to slow them down. After a few wrong attempts, make the user wait before they can try again. After more attempts, lock the account temporarily. This turns something that could take minutes into something that would take years.

Secret Keys Don't Belong in Your Code

Most apps connect to other services — payment processors, email providers, maps. These connections use secret keys, like a password for your app. The most common mistake I see is developers accidentally saving these keys inside the code itself.

The problem is that code often gets shared — put on GitHub, sent to someone, backed up somewhere. Once the key is in the wrong hands, someone can use your paid services for free, or access your users' data. Keep secrets in a separate place, never in the code itself.

Don't Trust What You're Sent — Check It First

Any information that comes from outside your system — a form someone fills in, a link someone clicks — should be treated with suspicion until you've checked it. If your app takes something a user typed and puts it straight into your database without checking it first, you're vulnerable to a whole category of attacks.

Again, good modern tools and libraries tend to handle a lot of this for you. The danger is when people try to be clever and go around the tools. The safest default is to use what's provided and only deviate when you really know what you're doing.

Make Sure the Padlock Is Actually Working

Every website should use a secure connection — that's what the padlock in the browser bar means. It encrypts information between your site and the person visiting it, so nobody in the middle can read it. If your site doesn't have this set up properly, it's a red flag for users and a genuine risk.

It's free and not complicated to set up. If someone is helping you build a website and they haven't sorted this, ask them about it.

The Most Important Mindset

Security isn't something you bolt on at the end. The apps that get hacked aren't usually taken down by sophisticated attacks — they're exploited through basic mistakes that were never fixed. Get the basics right from the start. Once your product is growing, bring in someone to look for anything you've missed. The basics don't take long, and they're worth every minute.

Previous

Your Cloud Bill Is Too High: Here's How to Fix It

Next

Why Your Online Store Isn't Converting (And How to Fix the UX)