Security
OWASP Top 10
The security community's consensus list of the most critical web application risks — broken access control, injection, cryptographic failures, SSRF and more — refreshed periodically from real breach data. It is the baseline every web engineer should design against. Treat it as a floor for awareness, not a complete security programme.
Purpose
The OWASP Top 10 is the security community's consensus list of the most critical web-application risks, compiled from real-world breach and vulnerability data and refreshed every few years. It exists to focus finite attention on the failures that actually hurt applications — led, in the current edition, by broken access control.
When to Use It
Use it as a design and review checklist: every new endpoint gets asked 'who may call this?' (access control), every query is parameterised (injection), every secret handled properly (cryptographic failures). It also anchors security training and penetration-test scopes.
Trade-offs
It is a floor, not a ceiling: passing a Top-10 review does not make an application secure, and treating it as a compliance checkbox misses its point. Categories are broad — 'insecure design' spans nearly everything — so it guides attention rather than prescribing fixes.
Implementation
Bake the recurring defences into the platform once: central authorization middleware, parameterised queries everywhere, a strict Content-Security-Policy, dependency scanning in CI, secrets in a vault. Then review each release against the list — the goal is that the secure way is the default way.