Use taint mode (the -T switch on the #! line).

Don’t blindly untaint data. (See below.)

Sanity-check everything, including all form widget return values, even hidden widgets or values generated by JavaScript code. Many people naïvely assume that just because they tell JavaScript to check the form’s values before the form is submitted, the form’s values will actually be checked. Not at all! The user can trivially circumvent this by disabling JavaScript in their browser, by downloading the form and altering the JavaScript, or quit by talking HTTP without a browser using any of the examples in Chapter 20.

Check return conditions from system calls.

Be conscious of race conditions (described below).

Run with -w and use strict to make sure Perl isn’t assuming things incorrectly.

Don’t run anything setuid unless you absolutely must. If you must, think about running setgid instead if you can. Certainly avoid setuid root at all costs. If you must run setuid or setgid, use a wrapper unless Perl is convinced your system has secure setuid scripts and you know what this means.

Always encode login passwords, credit card numbers, social security numbers, and anything else you’d not care to read pasted across the front page of your local newspaper. Use a secure ...