Security Best Practices

Building secure web applications requires attention to common vulnerability patterns.

Input Validation

Never trust user input. Always validate and sanitize.

// Whitelist validation for expected values
function IsValidSection(s: String): Boolean;
begin
  Result := s in ['lang', 'ref', 'examples'];
end;

var section := WebRequest.QueryField['section'];
if not IsValidSection(section) then begin
  WebResponse.StatusCode := 400;
  exit;
end;

Output Encoding (XSS Prevention)

Always encode user data before rendering to HTML.

var userInput := WebRequest.QueryField['name'];
PrintLn('<p>Hello, ' + userInput.ToHtml + '</p>');
Result
<p>Hello, </p>

SQL Injection Prevention

Always use parameterized queries.

// CORRECT - Parameterized
var userId := WebRequest.QueryField['id'];
var db := DataBase.Create('SQLite', ['data.db']);
var results := db.Query(#'
   SELECT * FROM users WHERE id = ?
', [userId]);

// WRONG - String concatenation (DO NOT USE)
// var results := db.Query('SELECT * FROM users WHERE id = ' + userId);

Secure Redirects

Always whitelist redirect destinations to prevent Open Redirect vulnerabilities.

const AllowedTargets = ['/home', '/dashboard', '/logout'];

var target := WebRequest.QueryField['next'];
if target in AllowedTargets then
  WebResponse.SetStatusRedirect(302, target);

Session Security

Use cryptographic tokens and secure cookie flags.

uses System.Net, System.Crypto;

var token := CryptographicToken(32);
// Flags: 2 = HttpOnly
WebResponse.SetCookie('session', token, Now + 1, '/', '', 2, WebCookieSameSite.Strict);
← Web Support Cryptography →
On this page