- never trust, always verify ⁃ fi lter input and escaping output ⁃ always use prepared statements when interact with database ⁃ add rate limiting or captcha where necessary ⁃ always validate data in backend ⁃ use high level authentication, acces control and roles management ⁃ keep your packages, system, libraries up to date ⁃ implement proper logging mechanism ⁃ build a proper exception management ⁃ encript everything - avoid MITM ⁃ log rotation or clear your log fi les regularly to avoid database/app hangs ⁃ max request size max fi le upload max request timeout ⁃ keep in mid ext3 is limited to 64000 fi les/folder ⁃ block tra fi c from unwanted geographical regions, data centres, and Tor relay nodes ⁃ Remove security headers - X-powered-by, Sever, add security headers Strait-Transport- Security, X-Content-Type-Option ⁃ Reduce the risk of API de fi nitions, documentation and sensitive data in untrusted tools Tips & Tricks