Backend Security Best Practices: Protecting APIs and Databases in 2026

OWASP Top 10 for Backend Developers (2026)

The OWASP Top 10 represents the most critical web application security risks. Most real-world breaches exploit one of these:

1. Broken Access Control — Users accessing resources they should not
2. Cryptographic Failures — Sensitive data exposed due to weak encryption or no encryption
3. Injection — SQL, NoSQL, command injection via unsanitised input
4. Insecure Design — Missing security requirements at the design phase
5. Security Misconfiguration — Default credentials, verbose error messages, open S3 buckets
6. Vulnerable and Outdated Components — Dependencies with known CVEs
7. Identification and Authentication Failures — Weak passwords, no MFA, session issues
8. Software and Data Integrity Failures — Unverified updates, insecure CI/CD
9. Security Logging and Monitoring Failures — Attacks not detected
10. Server-Side Request Forgery (SSRF) — Server making requests to unintended locations

Authentication and Authorisation

JWT Best Practices

• Short expiry for access tokens (15–60 minutes)
• Long-lived refresh tokens stored in httpOnly cookies (not localStorage)
• Rotate refresh tokens on every use
• Include only necessary claims in JWT payload (no sensitive data)
• Verify token signature on every request — never trust unverified claims

Password Storage

Never store passwords in plain text or with reversible encryption. Use bcrypt, Argon2, or scrypt with appropriate work factors:

// Node.js with bcrypt
const hash = await bcrypt.hash(password, 12); // cost factor 12
const isValid = await bcrypt.compare(input, hash);

Role-Based Access Control (RBAC)

Implement access checks at the service layer, not just the route layer. Assume every request is potentially malicious:

// Check ownership, not just authentication
if (resource.userId !== req.user.id && req.user.role !== 'admin') {
  throw new ForbiddenError();
}

Preventing Injection Attacks

SQL Injection — Parameterised Queries

// VULNERABLE — never do this
const query = `SELECT * FROM users WHERE email = '${email}'`;

// SAFE — always use parameterised queries
const user = await db.query('SELECT * FROM users WHERE email = $1', [email]);

Modern ORMs (Prisma, TypeORM, SQLAlchemy) use parameterised queries by default. Raw query interfaces still require explicit parameterisation.

Input Validation

Validate all input at the boundary of your application. Use schema validation libraries:

• Node.js: Zod, Joi, Yup
• Python: Pydantic, Marshmallow

Never trust: query parameters, request bodies, headers, cookies, path parameters, or file uploads.

Rate Limiting

Protect all public endpoints from abuse and brute force:

// Express with express-rate-limit
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // 100 requests per window
  standardHeaders: true,
});
app.use('/api/', limiter);

// Stricter limits for auth endpoints
const authLimiter = rateLimit({ windowMs: 60 * 60 * 1000, max: 10 });
app.use('/api/auth/', authLimiter);

Secret Management

Never commit secrets to version control. Not once, ever.

For local development: Use .env files (add .env to .gitignore immediately) For production: Use a secrets manager:

• AWS Secrets Manager / Parameter Store
• HashiCorp Vault
• GCP Secret Manager
• Azure Key Vault

Rotate secrets regularly. Revoke immediately if exposed.

Dependency Security

Run weekly automated dependency audits:

npm audit --audit-level=high
# or
npx snyk test

Enable Dependabot or Renovate to auto-create PRs for security patches. A dependency with a known CVE is a ticking clock.

Security Headers

Set security headers on all HTTP responses:

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin

Use helmet middleware in Express to set these in one line.

Logging and Monitoring

Log all authentication events (login, logout, failed attempts, password reset) and all access to sensitive resources. Do not log sensitive data (passwords, tokens, card numbers). Use structured logging and ship logs to a centralised SIEM (Datadog, Splunk, AWS CloudWatch).

Need a security review of your backend? Talk to our cybersecurity team → or contact us to schedule a security audit.