Security is not a simple topic, but there is value in simple expressions of best practices. Like a mission statement, best practices can keep you on track while you focus on the details.
When it comes to web app security, there are two best practices I recommend above all others:
- Filter input
- Escape output
A majority of all vulnerabilities can be traced back to a failure to filter input or escape output. Consider this the least you can do when it comes to protecting your users.