Security: Practical Notes

Order Matters More Than Tools

htmlspecialchars()

echo htmlspecialchars($s, ENT_QUOTES, ‘UTF-8’);
If user input is rendered into HTML, run this first.
That alone removes most XSS risk.

At output.
Not during storage.

Before Any WAF

Years ago, I focused on selling WAF.

I was not wrong.
But I was out of order.

If an application outputs raw user input,
a WAF compensates for something that should have been fixed in one line.

Today, I start here.

Then we talk about WAF.

What I Would Do Differently Now

I once worked with an internal SE team at a client company.

They were capable.
They were practical.

If I had shown them this one line first,
we could have had an engineering discussion
instead of a product discussion.

Not the tools.
The order.

Start With One Line

Expensive security can wait.
The first line of defense is literally one line.

htmlspecialchars()

Everything else comes after.

Why UI Matters for Security

Local First, Then Network

Order Matters More Than Tools

Start With One Line

The UI I Am Building Now

A Security Tool Should Be Boring

Early UI prototype.
Security tools should be simple before they are powerful.