== A basic principle of website security

In theory I shouldn't have to say this, but in practice I probably do.
One of the most basic principle of designing secure websites is simply
this:

> ~~Never trust anything you get from the network~~.

Everything you get from the network is under the control of a
sufficiently determined attacker, no matter how it is 'supposed' to
be generated. Every request, every form _POST_, every cookie, and
every AJAX callback. No amount of obfuscation can do more than slow an
attacker down.

(In fact, obfuscation and attempts to hide things are a useful
signpost to would-be attackers of where to look closely, a lesson I
believe I learned from Harry Harrison's Stainless Steel Rat.)

As a bonus to not trusting network input, you'll gain resilience against
the various badly coded crawlers and web browsers that send you [[crazy
StupidSpiderMistakes]] [[things StupidSpiderMistakesII]] from time to
time.

(This grump was sparked by reading [[this
http://www.informit.com/guides/content.asp?g=security&seqNum=232&rl=1]]
(from Slashdot), which beats around the fundamental bush a bit too much
for my taste. I suppose this is what I get for following a Slashdot
link.)