Introduction

When building a web application, the difference between a secure design and an insecure shortcut can determine whether your project thrives or becomes a target for cyberattacks. OWASP (Open Web Application Security Project) publishes the Top 10 most critical web application risks, a gold standard for developers and security teams.

In this article, we explore what makes a web app unsafe, how to secure it according to OWASP guidelines, and provide code examples.

1. Broken Access Control

Insecure Example:

// Express.js route with no authorization check
app.get("/api/users/:id", (req, res) => {
   db.findUserById(req.params.id).then(user => res.json(user));
});

Anyone can change the :id and read other users’ data.

Secure Practice:

// Check that user can only access their own record
app.get("/api/users/:id", authMiddleware, (req, res) => {
   if (req.user.id !== req.params.id) return res.status(403).send("Forbidden");
   db.findUserById(req.params.id).then(user => res.json(user));
});

2. Cryptographic Failures

Insecure Example: Storing passwords with MD5.
Secure Practice: Always hash with bcrypt or Argon2id.

# Python example
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt())

Use HTTPS/TLS everywhere, and enable HSTS.

3. Injection (SQL/NoSQL/OS)

Insecure Example:

// Vulnerable to SQL Injection
$query = "SELECT * FROM users WHERE email = '" . $_GET['email'] . "'";

Secure Practice:

$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$_GET['email']]);

4. Security Misconfiguration

• Insecure: Leaving DEBUG=true In production, verbose error messages are exposed.

• Secure: Disable debug, enforce least-privileged accounts, and standardize configuration with Infrastructure as Code (IaC).

5. Identification & Authentication Failures

Insecure Example: Predictable session IDs, no timeout.
Secure Practice:

• Use secure cookies (HttpOnly, Secure, SameSite).

• Enforce MFA.

• Rotate sessions after login.

Quick Checklist for Secure Web Apps

• Always use parameterized queries.

• Apply Content-Security-Policy headers.

• Implement deny-by-default access control.

• Use dependency scanning (SCA, SBOM).

• Log security events and set up alerts.

Security Checklist for cpanel.myphones.app

This checklist maps directly to the OWASP Top 10 (Web 2021) and shows how to harden both the marketing site (myphones.app) and the control panel (cpanel.myphones.app).

https://myphones.app

1. TLS & HSTS (A02 – Cryptographic Failures)

• Action: Enforce HTTPS everywhere, disable TLS versions < 1.2, and enable HSTS with the preload flag.

• Header:

  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

• Quick test:

  curl -sI https://myphones.app | grep -i strict-transport-security

2. Cookies & Session Management (A07 – Identification & Authentication Failures)

• Action: All session cookies must be set with Secure; HttpOnly; SameSite.

  • For cpanel.myphones.app: prefer SameSite=Strict, rotate session ID after login.

• Quick test:

  curl -sI https://cpanel.myphones.app | grep -i set-cookie

3. Content Security Policy (A03/A05 – Injection & Security Misconfiguration)

• Action:

  • Marketing site (myphones.app): allow only Framer/GitBook resources.

  • Control Panel (cpanel.myphones.app): stricter, no inline scripts.

• Examples:

  • Marketing:

    Content-Security-Policy: default-src 'self';
    script-src 'self' *.framer.com *.framerusercontent.com;
    style-src 'self' 'unsafe-inline' fonts.googleapis.com;
    img-src 'self' data: https:;
    font-src 'self' fonts.gstatic.com;
    frame-ancestors 'none';
    object-src 'none'

  • Control Panel:

    Content-Security-Policy: default-src 'self';
    script-src 'self';
    style-src 'self';
    img-src 'self' data:;
    frame-ancestors 'none';
    object-src 'none'

• Quick test:

  curl -sI https://myphones.app | grep -i content-security-policy

4. Clickjacking Protection (A05 – Security Misconfiguration)

• Action: Deny framing with either CSP frame-ancestors 'none' or header below.

• Header:

  X-Frame-Options: DENY

• Quick test:

  curl -sI https://cpanel.myphones.app | grep -i x-frame-options

Visit website MyPhones: https://cpanel.myphones.app/

5. MIME Sniffing & Referrer Policy (A05 – Security Misconfiguration)

• Headers:

  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin

• Quick test:

  curl -sI https://myphones.app | egrep -i 'content-type-options|referrer-policy'

6. Access Control & IDOR (A01 – Broken Access Control)

• Action: Enforce authorization on the server for every resource/action.

• Deny-by-default, implement RBAC in CPanel (admin/editor/viewer).

• Never rely on hiding UI buttons.

• Quick test: Attempt to change resource IDs (/api/users/:id, /api/devices/:id) → must return 403 Forbidden.

7. Input Validation & Injection (A03 – Injection)

• Action: Always use prepared statements or ORM-safe APIs.

• Validate every request body against a schema (e.g., JSON schema validation).

• Quick test: Fuzz API with ' OR 1=1-- → must be rejected or sanitized.

8. Dependency & Component Security (A06 – Vulnerable and Outdated Components)

• Action: Maintain a Software Bill of Materials (SBOM).

• Run SCA tools (e.g., Dependabot, Snyk).

• Apply patches monthly, block deprecated libraries.

9. Logging & Monitoring (A09 – Security Logging & Monitoring Failures)

• Action: Centralize logs with unique request IDs.

• Log security events (e.g., login failures, privilege changes).

• Add alerting for anomalies (multiple failed logins, brute force attempts).

10. Software/Data Integrity & SSRF (A08/A10)

• CPanel:

  • Sign all deployment artifacts in CI/CD.

  • Do not fetch arbitrary URLs supplied by users (block SSRF).

• Marketing site: only load trusted, version-pinned resources.

✅ If you apply this checklist, both myphones.app and cpanel.myphones.app will align with the OWASP Top 10 baseline for secure web applications.

Conclusion

Developers often ship features fast and postpone security. The OWASP Top 10 reminds us that ignoring secure design leads to predictable, avoidable vulnerabilities. By following simple practices—parameterized queries, strong session management, proper crypto—you can transform your web application from an easy target into a resilient platform.

OWASP Top 10 with Code Examples: Android Quick Guide