In March 2022, the Lapsus$ group breached Okta by compromising a third-party support engineer's laptop — and suddenly, thousands of organizations realized their web security posture was only as strong as their weakest vendor's. That single incident forced a reckoning across the industry. If your organization runs anything on the web — and in 2022, that means every organization — these web security best practices aren't optional. They're the difference between operating normally and explaining to your customers why their data is on a dark web marketplace.

I've spent years watching companies get breached not because of exotic zero-day exploits, but because they ignored fundamentals. Misconfigured headers, missing authentication layers, unpatched frameworks, employees clicking credential-theft links. This post covers the web security best practices I've seen actually prevent incidents — not the theoretical checklist you'll forget by tomorrow.

Why Most Web Security Failures Are Embarrassingly Preventable

The 2022 Verizon Data Breach Investigations Report found that 82% of breaches involved a human element — including social engineering, credential theft, and errors. That's not a technology gap. That's an execution gap.

Here's what I see repeatedly in post-incident reviews: the technology to prevent the breach existed. It was either misconfigured, not deployed, or bypassed by an employee who didn't recognize a phishing email. Web security best practices work only when they're implemented consistently and reinforced with cybersecurity awareness training for your entire team.

The Verizon DBIR is worth reading in full: 2022 Verizon Data Breach Investigations Report.

The $4.88M Lesson: What a Data Breach Actually Costs

IBM's 2022 Cost of a Data Breach Report pegged the global average cost at $4.35 million — the highest in the report's history. For U.S. organizations, that number climbed to $9.44 million. These aren't abstract figures. They include forensic investigation, legal fees, regulatory fines, customer notification, and the long tail of lost business.

The cheapest breach is the one that never happens. Every practice below exists to keep you out of that report.

What Are Web Security Best Practices?

Web security best practices are the specific, repeatable technical and operational measures that protect web applications, APIs, and the data they process from unauthorized access, manipulation, and theft. They span server configuration, application code, authentication mechanisms, employee training, and incident response. Done right, they create overlapping layers of defense that no single vulnerability can defeat.

Lock Down Your HTTP Security Headers

This is the lowest-hanging fruit I find misconfigured on almost every assessment. Security headers tell browsers how to behave when interacting with your site, and most sites either omit them or configure them wrong.

The Headers That Actually Matter

  • Content-Security-Policy (CSP): Restricts which scripts, styles, and resources can load. A strong CSP is one of the most effective defenses against cross-site scripting (XSS). Start with Content-Security-Policy: default-src 'self' and whitelist from there.
  • Strict-Transport-Security (HSTS): Forces HTTPS connections and prevents protocol downgrade attacks. Set max-age to at least one year (31536000 seconds) and include includeSubDomains.
  • X-Content-Type-Options: Set to nosniff. Prevents browsers from MIME-sniffing responses away from the declared Content-Type.
  • X-Frame-Options: Set to DENY or SAMEORIGIN to block clickjacking attacks.
  • Referrer-Policy: Use strict-origin-when-cross-origin at minimum. Controls how much referrer information leaks to external sites.
  • Permissions-Policy: Restricts browser features like camera, microphone, and geolocation access.

CISA's guidance on web security hardening is a solid reference: CISA Cybersecurity Best Practices.

Authentication: Multi-Factor or Multi-Failure

The Lapsus$ attacks throughout early 2022 hammered home a lesson the security community has been repeating for years: passwords alone are dead. Every single one of their high-profile compromises — Microsoft, Nvidia, Samsung, Okta — exploited weak or stolen credentials.

Implement Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) should cover every login surface: admin panels, CMS platforms, cloud dashboards, VPN access, email, and developer tools. Every one. Not just the ones you consider "critical."

But not all MFA is equal. SMS-based codes are vulnerable to SIM-swapping. Push notification fatigue attacks — where a threat actor spams MFA prompts until the exhausted user approves one — were a confirmed Lapsus$ technique. Use phishing-resistant MFA: hardware security keys (FIDO2/WebAuthn) or authenticator apps with number matching.

Kill Default Credentials and Enforce Password Policies

I still find default admin credentials on staging environments, IoT devices, and network appliances during assessments. It takes a threat actor seconds to check these. NIST Special Publication 800-63B recommends checking passwords against known breached password lists and enforcing a minimum length of 8 characters — but I recommend 12 or more. Drop the complexity rules that lead to "P@ssw0rd123!" and focus on length and breach-list screening.

Read the full NIST guidance here: NIST SP 800-63B Digital Identity Guidelines.

Input Validation: Trust Nothing From the Browser

Every field, parameter, header, and cookie value your application receives is an attack surface. SQL injection, cross-site scripting, command injection, path traversal — they all exploit insufficient input validation.

Server-Side Validation Is Non-Negotiable

Client-side validation is a user experience feature, not a security control. Any attacker with a proxy tool bypasses it in seconds. Validate, sanitize, and parameterize all input on the server side.

  • Use parameterized queries (prepared statements) for all database interactions. This eliminates SQL injection — the vulnerability class that has been in the OWASP Top 10 for over a decade.
  • Encode output based on context: HTML encoding for HTML contexts, JavaScript encoding for script contexts, URL encoding for URL parameters.
  • Whitelist acceptable values where possible. If a field should contain a U.S. state code, validate against the 50 valid values — don't just check for malicious patterns.
  • Limit input length aggressively. A name field doesn't need to accept 10,000 characters.

Adopt a Zero Trust Approach to Web Architecture

Zero trust isn't a product you buy. It's an architecture philosophy: never trust, always verify. Every request, every session, every user — regardless of network location — must prove authorization.

What Zero Trust Looks Like in Practice

  • Micro-segmentation: Your web application server shouldn't have unrestricted access to your database server, which shouldn't have unrestricted access to your backup server. Segment aggressively.
  • Least privilege: Application service accounts get only the permissions they need. Not admin. Not root. Not "we'll tighten it later."
  • Continuous verification: Session tokens should expire, re-authentication should be required for sensitive actions, and anomalous behavior should trigger step-up authentication.
  • Encrypted internal traffic: TLS isn't just for external traffic. Encrypt east-west traffic between internal services. Assume your internal network is already compromised — because statistically, it might be.

Patch Management: The 48-Hour Rule

When a critical vulnerability drops — like the Log4Shell (CVE-2021-44228) chaos in December 2021 — the clock starts ticking immediately. Threat actors were scanning for vulnerable Log4j instances within hours of the public disclosure.

My rule: critical vulnerabilities get patched within 48 hours or get a compensating control deployed in the same window. No exceptions. If your patching process can't move that fast, your patching process is broken.

Know What You're Running

You can't patch what you don't know exists. Maintain a software bill of materials (SBOM) for every web application. Track every framework, library, and dependency. Tools like OWASP Dependency-Check can automate this, but someone on your team needs to own the output.

Your Employees Are Either Your Strongest Layer or Your Weakest

Every technical control in this article can be bypassed by one employee who clicks a well-crafted phishing email. Social engineering remains the top initial access vector for a reason — it works.

Phishing Simulation Changes Behavior

Reading a policy document doesn't change behavior. Experiencing a realistic phishing simulation does. When an employee clicks a simulated phishing link and immediately sees a training intervention, that moment sticks. Organizations running regular phishing awareness training programs see measurable reductions in click rates over time.

I've seen organizations cut their phishing susceptibility rate by more than half within six months of consistent simulation programs. The key word is consistent — quarterly at minimum.

Security Awareness Beyond Phishing

Phishing simulation is critical, but security awareness training needs to cover more ground: recognizing social engineering over the phone, safe browsing habits, reporting suspicious activity without fear of punishment, and understanding why policies exist. When employees understand the "why," compliance follows naturally.

Ransomware-Proof Your Web Infrastructure

Ransomware gangs increasingly target web-facing infrastructure as their initial foothold. Exposed admin panels, unpatched CMS installations, vulnerable VPN appliances — these are the doors ransomware walks through.

Specific Steps to Harden Against Ransomware

  • Disable Remote Desktop Protocol (RDP) on any internet-facing system. If you must use it, tunnel it through a VPN with MFA.
  • Back up offline. If your backups are accessible from the same network as your production systems, ransomware encrypts them too. Maintain air-gapped or immutable backups.
  • Test your restore process. A backup you've never tested is a hope, not a plan.
  • Monitor for lateral movement. The time between initial access and ransomware deployment is often days or weeks. Detect the attacker during that window and you prevent the detonation.

API Security: Your Fastest-Growing Attack Surface

If your web application has an API — and in 2022, it almost certainly does — that API needs its own security treatment. APIs often expose more functionality and data than the user interface, and they're frequently less protected.

  • Authenticate every API endpoint. No anonymous access to anything that returns data or modifies state.
  • Rate limit aggressively. Brute force against an API without rate limiting is trivially automated.
  • Validate and sanitize API input with the same rigor as web form input. JSON and XML payloads are attack vectors too.
  • Don't expose internal object IDs without authorization checks. Insecure Direct Object Reference (IDOR) vulnerabilities in APIs are alarmingly common and trivially exploitable.

Build a Web Security Checklist You Actually Use

The best practices in this post mean nothing if they live in a document nobody opens. Here's how to operationalize them:

  • Automate what you can. Security header checks, dependency scanning, SSL certificate monitoring — automate these into your CI/CD pipeline.
  • Schedule what you can't automate. Penetration tests, access reviews, phishing simulations, incident response tabletop exercises — put them on the calendar with owners assigned.
  • Measure and report. Track patching SLAs, MFA adoption rates, phishing simulation click rates, and mean time to remediate vulnerabilities. What gets measured gets managed.
  • Train continuously. One-and-done training doesn't work. Enroll your team in ongoing cybersecurity awareness training and refresh it regularly.

Where to Start If You're Behind

If reading this post made you realize your organization has gaps — good. Awareness is step one. Here's your priority order:

  1. Enable MFA on every account today. This single step blocks the majority of credential theft attacks.
  2. Audit your security headers this week. Use a scanner like Mozilla Observatory. Fix the critical gaps immediately.
  3. Run a phishing simulation this month. Baseline your organization's susceptibility so you know where you stand. Start a phishing awareness program and measure your progress.
  4. Inventory every web-facing asset this quarter. You can't protect what you don't know about.
  5. Adopt zero trust principles in your next architecture decision. You don't have to rearchitect everything at once — but every new system should follow zero trust from day one.

Web security best practices aren't a one-time project. They're an ongoing discipline that combines technical controls, human training, and operational rigor. The threat actors aren't taking days off. Neither should your defenses.