There are things you write on sticky notes… and things you tattoo into your workflow. This is the latter.
If you’re building, deploying, or even just updating websites, there are non-negotiable security laws — and we’ve branded them permanently into our skin (and servers).
Here are the **10 rules you ink once and enforce forever** — no excuses, no exceptions.
No raw data shall pass. Every user input is guilty until proven clean. SQL injection? XSS? Not today.
Plaintext passwords = war crimes. Use bcrypt, argon2, or GTFO. Always with salt. Always with iteration.
Whatever the user sends can be manipulated. Validate on the server. Always. No exceptions. Not even once.
No matter how secure you think you are, if you don’t back up — you’re not secure. Backup daily. Offsite. Tested.
If your browser shows “Not Secure,” your user sees “Not Credible.” Use SSL. Period. Get it from Let’s Encrypt or Cloudflare. And redirect all http:// traffic instantly.
From logins to file edits — track it all. Store logs offsite. Set up alerts. Know your battlefield at all times.
WordPress XML-RPC? REST API you don’t use? Debug mode on in production? Kill it all. If it doesn’t serve, it’s a liability.
If you give editor rights to your intern, that’s not trust — that’s sabotage. Least privilege. Always.
Outdated CMS? Vulnerable plugin? You’re not just open — you’re inviting them in. Update as if your paycheck depends on it (because it does).
Security tools aren’t crutches — they’re augmentation. Use WAFs, scan bots, cron jobs, log processors. Work smarter, not just harder.
Security isn’t a setting. It’s a mindset. It’s not about paranoia — it’s about precision.
So go ahead. Tattoo these into your process. Engrave them in your pipeline. Preach them in your standups.
And when the bots come knocking — your site won’t blink.
— The Web Runners
We don’t follow best practices. We write them, forget them, rewrite them at 3AM — then automate the rewrite.
