The non-negotiable controls for any app facing the internet.
evan-sre/web-app-security-baseline · v1
The single most effective XSS mitigation.
Never build SQL by string concatenation.