I'm looking for advice on tools that can help me scan my website and code for vulnerabilities before going live. I have a solid IT background, but my web development experience is a bit rusty. The application processes user-submitted data and I'm concerned about security risks like SQL injection and XSS. I know to avoid hardcoding sensitive info and to keep my API keys secure, but I want to make sure I'm doing everything I can to protect against breaches. I'm planning to charge for the app, with a free version available too. What would you recommend for pre-launch testing? I'm also aware that my coding style has some critics, but I'm building this for myself first, and I hope to share it eventually. Thanks for any insights!
4 Answers
For your specific situation, the biggest threats often come from SQL injection and XSS because many AI-generated codes skip input sanitization. You can run OWASP ZAP against your app—it’s free and great for catching obvious vulnerabilities. Also, if you're using npm, tools like "npm audit" and "Snyk" can help flag known vulnerabilities in your dependencies. Don’t forget about rate limiting and validating file uploads; those are often overlooked but critical for handling user data safely.
Using tools like Patchstack can provide you peace of mind. I’ve used it before and haven't run into any issues. It focuses on security for WordPress but has some great overall advice too!
Look into Codex Security; it can scan your repositories for hardcoded secrets and vulnerabilities. Just keep in mind it won’t help if your infrastructure is set up incorrectly. Make sure to enable all appropriate checks in your code.
How can AI not find it if it's hardcoded into the code and thus the repo?
You might want to check out Snyk. It’s a popular tool for scanning your code and dependencies for known vulnerabilities. It’s user-friendly and integrates well with most development environments, making it easier to stay on top of security concerns.
How do you pronounce that?
Thank you!
Thanks! I totally forgot about rate limiting; it was one of the first things they taught us. I'll definitely refresh my memory on the OWASP principles before launching.