Web Security Is Everyone's Job: A Developer's Field Guide
Security is not a feature you bolt on after launch. It is not the CISO's problem alone. It is not a checklist you run through before a compliance audit. It is a shared responsibility across every engineer, every team, every layer of the stack. This guide walks through the three layers where most web vulnerabilities live — Frontend , In Transit , and Backend — using a threat modeling lens: thinking like an attacker so you can build like a defender. What Is Threat Modeling? Before writing a single line of defensive code, you need to think systematically about your system's attack surface. Threat modeling is the process of: Identifying entry points — Where does untrusted data enter your system? Form inputs, URL parameters, uploaded files, third-party APIs? Assessing potential impact — If this entry point is exploited, what can an attacker access or do? Designing defenses proactively — Before the exploit occurs, not after. It shifts your mindset from "let's hope nothing breaks" to "let's assume something will be tried." Part 1 — Frontend Security: Stopping XSS What Is XSS? Cross-Site Scripting (XSS) happens when untrusted data is rendered as executable code in a browser. An attacker injects a script; your application runs it on behalf of your users. The consequences are severe: session hijacking, credential theft, defacement, redirects to malicious sites. There are three flavours: ┌─────────────────────────────────────────────────────────────────┐ │ XSS TYPES │ ├──────────────────┬──────────────────────────────────────────────┤ │ Stored XSS │ Malicious script saved in your DB, │ │ │ served to every user who loads that data. │ │ │ Most dangerous — persistent and broad. │ ├──────────────────┼──────────────────────────────────────────────┤ │ Reflected XSS │ Script lives in a URL parameter. │ │ │ Requires tricking the user into clicking │ │ │ a crafted link. Temporary, per-request. │ ├──────────────────┼──────────────────────────────────────────────┤ │ DOM-Based XSS │ Entir