Last Updated: November 21, 2025
OWASP Top 10
Critical web application security risks
OWASP Top 10 (2021)
| Item | Description |
|---|---|
A01: Broken Access Control
|
Unauthorized access to resources |
A02: Cryptographic Failures
|
Weak encryption or data exposure |
A03: Injection
|
SQL, NoSQL, OS command injection |
A04: Insecure Design
|
Missing security controls in design |
A05: Security Misconfiguration
|
Improper security settings |
A06: Vulnerable Components
|
Using outdated libraries |
A07: Authentication Failures
|
Weak authentication/session management |
A08: Software/Data Integrity
|
Insecure CI/CD or updates |
A09: Logging/Monitoring Failures
|
Inadequate security logging |
A10: Server-Side Request Forgery
|
SSRF attacks |
Prevention: Injection
- Use parameterized queries or ORMs
- Validate and sanitize all inputs
- Use allowlists for input validation
- Escape special characters
Prevention: Broken Access Control
- Deny by default principle
- Implement role-based access control
- Validate permissions on server-side
- Log access control failures
Security Headers
| Item | Description |
|---|---|
Content-Security-Policy
|
Prevent XSS attacks |
X-Frame-Options
|
Prevent clickjacking |
Strict-Transport-Security
|
Enforce HTTPS |
X-Content-Type-Options
|
Prevent MIME sniffing |
💡 Pro Tips
Quick Reference
Always validate input on both client and server side