thefekete.net

Got this from a comment on slashdot by raddan. Seems like good advice…

• Never pass unvalidated input to your database
• Never pass unvalidated input to the system
• Always validate on the server-side; client-side validation should only function as a convenience to the user
• Validate data coming from other servers (if you’re doing any web services stuff).
• Encrypt connections to the server
• Enforce inactivity timeouts
• Do not allow multiple logins to the same account (unless you want your game to application to work that way)
• Always authenticate users; consider using two-factor authentication (CAPTCHA + password, etc)
• Allow administrators to revoke accounts
• Make it easy for administrators/force administrators to sandbox/chroot your application
• If your applications needs to use server storage, consider DoS attacks (a user uploading lots of stuff)
• Make sure all privileged actions hit the same authentication class/function; if you change your authentication code, this ensures that the changes are applied across the board <– I catch newbie programmers making this mistake all the time!

If you do all of the above, your app might still not be “secure”, but breaking it will be a PITA.