I come from an IT background, but I'm relatively new to web development. My application collects user data and stores it in databases, so it's not a simple static site. While I'm comfortable with database setup and scripting, I have concerns about security, especially since I've coded most of the website myself. I want to ensure that my site doesn't get hacked, compromising user data or API keys. I've built websites for classroom projects in the past, but those didn't involve real-world vulnerabilities. I'm planning to offer both a paid and a free version of my app, and eventually, I'd like to hire a professional to conduct a thorough audit. What tools or practices would you recommend for scanning the site for vulnerabilities before it goes live? Also, I know vibe coding isn't the most respected way to build sites, but I'm mainly doing this for myself and hope to share it with others.
2 Answers
For applications like yours, a few common pitfalls include SQL injection and XSS attacks, especially since vibe-coded apps may overlook input sanitization. I recommend using OWASP ZAP to scan your running app; it’s free and effective at catching common issues. Additionally, if you’re using Node.js, tools like npm audit and Snyk can help identify known vulnerabilities in your packages. One thing many developers miss is the importance of rate limiting for user-generated content and validating file uploads.
You should definitely consider using Snyk for scanning dependencies. It helps flag vulnerabilities in your code libraries. There's also Codex Security, although be cautious since it focuses on repositories and may miss issues in your application infrastructure. It’s crucial to ensure there are no hardcoded secrets as part of your code.
How can an AI tool miss hardcoded secrets? That seems odd.
Thanks! I totally forgot about rate limiting, this was one of the first things they taught us XD. Will definitely check the OWASP principles again before going live.