Expect the unexpected

- Our next core security principle is to always expect the unexpected. Security is not like chess, where you can watch someone's move and then respond to it. Security has to be proactive, not reactive. You must assume that you will be hacked. Your job is to figure out how it will happen ahead of time. You have to prevent the crime before it happens. It's sometimes referred to as a mystery in reverse. This task may seem daunting until you gain some experience doing it. You have to consider each part of your website and ask, what are all the things that a user could try? Often, vulnerabilities are found in what we call edge cases. Most users will use a website exactly as we expect. It's easy for us to plan for those cases when we build the site. The well-worn path should not have any bugs or unexpected quirks. A few users will take unexpected actions. Our code needs to anticipate and handle these extraordinary cases…