Your web application should be "build once, run anywhere", not "build once, get hacked from anywhere"."

Web Applications were the fulfillment of the dream: Build once, run anywhere. But then reality sank in, and the dream turned into the nightmare: Build once, get hacked from anywhere.

The internet is international; it’s in the name, INTERnational NETwork. The same feature that gives your web application global reach also makes it a global target. Hackers don’t need to be in your local network to hack your application, they just need a weak point and an internet connection, which they can use to get your data from virtually anywhere.

Make sure your web application is ready to face the world with the following dos and don’ts:

Do
✅ Take authentication/authorization seriously. Protect user accounts with 2FA
✅ Regularly perform penetration tests and security audits
✅ Use Transport Layer Security(TLS)... always
✅ Use Security headers, for example Content Security Policy(CSP) to prevent attacks like cross-site scripting (XSS)
✅ Update your software and dependencies, and automate the process
✅ Make sure your firewall is configured properly
✅ Rate limit your application and distribute the load where practical
✅ Add monitoring and intrusion detection, and check them regularly
✅ Protect your database, use authentication/authorization, encryption, and monitoring.

Don't
❌ Do not hardcode or log secrets
❌ Do not blindly trust dependencies
❌ Don't blindly trust data sent from the frontend, even if it looks clean, always sanitize and validate

Your build might be local, but the attack surface is global.