Web Security Basics Every Bangkok Business Should Know

Why Does Web Security Matter for Bangkok Businesses?

Cybercrime in Thailand is increasing. The Royal Thai Police's Technology Crime Suppression Division handles thousands of cases annually, and small and medium businesses are frequent targets because they often deploy websites without security review.

A security breach can mean stolen customer data (creating PDPA liability), defaced websites, stolen payment information, or ransomware. The cost of fixing a breach is always higher than preventing it. These are the basics every Bangkok business website should have in place.

Is HTTPS Enough?

HTTPS encrypts data in transit and is a baseline requirement — not a complete security solution. Every Bangkok business website must use HTTPS. Browsers now label HTTP sites as "Not Secure" and Google penalizes them in search rankings. Services like Vercel, Cloudflare, and modern hosting providers issue free SSL certificates automatically.

Beyond HTTPS, set these HTTP security headers on every response:

• X-Content-Type-Options: nosniff — Prevents browsers from guessing content types.
• X-Frame-Options: DENY — Prevents your site from being embedded in iframes (clickjacking protection).
• Content-Security-Policy — Controls which scripts, styles, and resources can load on your page. This is the most powerful XSS defense available.

In Next.js, set these headers in next.config.ts under the headers() configuration.

What Is SQL Injection and How Do You Prevent It?

SQL injection occurs when user-supplied data is inserted directly into a SQL query string. An attacker can craft input that modifies the query, exposing or deleting your database. This is one of the oldest and most prevalent web vulnerabilities.

Prevention is simple: always use parameterized queries or an ORM. Never concatenate user input into SQL strings. Drizzle ORM and Prisma both use parameterized queries by default, protecting you from this attack category automatically.

What Is XSS and How Does React Handle It?

Cross-Site Scripting (XSS) attacks inject malicious JavaScript into your web pages, which then executes in other users' browsers. React escapes HTML content by default — {userText} is safe. The vulnerability appears when you use dangerouslySetInnerHTML. Only use this with sanitized content (use the DOMPurify library), never with raw user input.

How Should You Manage API Keys and Secrets?

Never commit API keys, database passwords, or secret tokens to version control. Use environment variables and a secrets management service. Set up a .gitignore that excludes .env* files. Use separate API keys for development and production, so a compromised development key does not affect your live system.

Rotate exposed secrets immediately. If a key was committed to a public repository, assume it is compromised within minutes — automated bots scan public repositories constantly.

What Is the Thailand PDPA and Why Does It Matter?

Thailand's Personal Data Protection Act (PDPA) requires businesses to obtain consent before collecting personal data, to disclose how it will be used, and to protect it appropriately. Violations carry fines up to 5 million baht. If your Bangkok website collects names, emails, phone numbers, or any other personal information, you need a privacy policy, a cookie consent mechanism, and appropriate data security measures.

Ready to Build Something Fast?

Get a free quote on LINE. We reply within 24 hours.