Securing your code
In the previous section, we've looked at how to set up a simple WAF. The rate limiting feature we've added is useful but protects us from just one possible attack. Without being paranoid, as soon as you are exposing your app to the world, there are numerous possible attacks, and your code needs to be designed with that threat in mind.
The idea behind secure code is simple, yet hard to do well in practice. The two fundamental principles are:
- Every request from the outside world should be carefully assessed before it does something in your application and data
- Everything your application is doing on a system should have a well-defined and limited scope
Let's look at how to implement these principles in practice.
Asserting incoming data
The first principle, assert incoming data, just means that your application should not blindly execute incoming requests without making sure what will be the impact.
For instance, if you have an API that will let a caller delete a line in a database...
