Edmonton's Guide to Secure Web Development in 2026
Active Document
A working 2026 security playbook for Edmonton businesses — OWASP Top 10, PIPEDA + Alberta PIPA compliance, AI-specific threats, CSP, supply-chain risk, breach response, and the security patterns that actually ship.
Loading document...
Web security in 2026 looks different from 2024. The attack surface expanded with AI integrations. PIPEDA breach-notification enforcement has teeth. Supply-chain attacks (SolarWinds, MOVEit, xz-utils, npm package hijacks) made "trust your dependencies" a risk you have to actively manage. And AI-specific threats — prompt injection, LLM-enabled social engineering, data exfiltration via agents — are real production concerns, not research curiosities.
This is a working 2026 security guide for Edmonton web developers and business owners. Specific frameworks, actual code patterns, and the compliance reality Canadian businesses operate under.
The Canadian frameworks that apply to Edmonton businesses handling user data:
Breach-notification is mandatory under PIPEDA since 2018 and enforcement has grown. Fines for willful non-compliance can reach CAD $100,000 per violation. For Alberta businesses, Alberta PIPA adds parallel provincial reporting obligations.
The OWASP Top 10 web application risks, 2021 edition (still current; 2025 edition expected), with 2026-relevant context:
Still the #1 risk. Users accessing data they should not (IDOR, missing function-level authorization, JWT mishandling).
Defenses:
Weak encryption, plaintext sensitive data, bad certificate handling.
Defenses:
SQL injection is a 2001 problem still present in 2026 legacy code.
Defenses:
Security considered after design. Architectural choices that make security hard.
Defenses:
Default admin passwords, verbose error messages, enabled debug modes in production.
Defenses:
The supply-chain risk. npm dependencies, WordPress plugins, CMS cores.
Defenses:
npm audit / pnpm audit in CI, blocking on high/criticalWeak passwords, no MFA, session fixation, bad recovery flows.
Defenses:
Unsigned updates, unvalidated deserialization, CI/CD pipeline compromise.
Defenses:
No alerting on attacks in progress. Breach detection takes 200+ days average.
Defenses:
Apps that fetch URLs on user input without validation.
Defenses:
The attack surface expanded since the last OWASP Top 10 rev. Additions that matter:
User input that manipulates an LLM's behavior to leak data, bypass guardrails, or execute unintended actions. Critical for any Edmonton site with an AI chat, voice agent, or AI search feature.
Defenses:
Voice deepfakes, AI-generated phishing emails, cloned executive voices calling employees. More convincing than anything 2024 produced.
Defenses:
Attackers uploading malicious packages to public registries with names similar to internal packages, or hijacking maintainer accounts.
Defenses:
An LLM agent with file system, database, or API access can be convinced to leak data. Edmonton businesses integrating Claude, GPT, or custom agents need to treat this as a first-class risk.
Defenses:
Baseline HTTP security headers:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'strict-dynamic' 'nonce-RANDOM'; ...
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-site
Test with Mozilla Observatory (observatory.mozilla.org) or securityheaders.com. Aim for an A+ rating; most Edmonton sites score D or F.
PIPEDA requires breach notification when there is "real risk of significant harm." The workflow:
Runbook should live in your incident-response document, tested at least annually. For any Edmonton business handling customer data, not having a tested incident response plan is a legal risk, not just a technical one.
Patterns we use as default for new Edmonton builds:
import { z } from 'zod';
const ContactRequestSchema = z.object({
name: z.string().min(1).max(100),
email: z.string().email(),
phone: z.string().regex(/^[0-9+\-() ]{7,20}$/).optional(),
message: z.string().min(1).max(2000),
});
export async function POST(req: Request) {
const parsed = ContactRequestSchema.safeParse(await req.json());
if (!parsed.success) {
return Response.json({ error: 'Invalid input' }, { status: 400 });
}
// proceed with validated data
}
// Safe — parameterized via Drizzle
const user = await db.select().from(users).where(eq(users.email, inputEmail));
// Unsafe — string concatenation
// await db.execute(`SELECT * FROM users WHERE email = '${inputEmail}'`);
// React escapes by default — this is safe
<p>{userContent}</p>
// Only use dangerouslySetInnerHTML with sanitized content
import DOMPurify from 'isomorphic-dompurify';
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }} />
import { Ratelimit } from '@upstash/ratelimit';
import { Redis } from '@upstash/redis';
const ratelimit = new Ratelimit({
redis: Redis.fromEnv(),
limiter: Ratelimit.slidingWindow(5, '1 m'),
});
export async function POST(req: Request) {
const ip = req.headers.get('x-forwarded-for') ?? 'anon';
const { success } = await ratelimit.limit(ip);
if (!success) return Response.json({ error: 'Rate limited' }, { status: 429 });
// proceed
}
Clerk, WorkOS, and Stack Auth all support passkeys natively in 2026. Enable by default on admin accounts; offer as option on consumer accounts.
What we see in audits:
Realistic 2026 security spend for a small business:
For most Edmonton SMBs, 1–3% of revenue spent on security is a reasonable baseline; regulated industries (health, legal, financial) typically spend more.
Yes. Small businesses are attractive targets precisely because security is often weaker. Automated attacks don't discriminate by size. Ransomware, credential theft, business email compromise, and fake-invoice scams hit Edmonton SMBs weekly.
If your Edmonton business collects personal information in the course of commercial activities, yes. PIPEDA applies federally and Alberta PIPA applies additionally to Alberta businesses. Exceptions exist for some small organizations but are narrow — assume compliance is required.
Multi-factor authentication (MFA) on every admin account, email account, and sensitive service. Nothing else is close in impact-per-effort.
Not strictly required by PIPEDA, but Canadian hosting simplifies some compliance positions (especially for health and legal data). Cloudflare, AWS ca-central-1, Azure Canada, and Google Cloud northamerica-northeast all offer Canadian regions. For most non-regulated SMBs, US edge hosting is fine with appropriate contracts.
Annually at minimum for active sites. After any major release or architectural change. Before applying for SOC 2, ISO 27001, or enterprise procurement with security questionnaires. For regulated industries, quarterly reviews are typical.
It can be, if actively maintained with strict plugin discipline, a WAF, and disciplined update cadence. In practice, many WordPress sites fail on maintenance, making the stack effectively insecure. Modern frameworks (Next.js, Remix, Astro) have a smaller attack surface for Edmonton SMBs starting fresh. See Migrating Off WordPress.
If you have an AI feature on your site (chat, voice agent, AI search, content generation), yes. Prompt injection is a user input that manipulates the LLM's behavior. Minimum defenses: separate system prompts from user content, filter output for sensitive data, limit agent tool use, test with adversarial inputs.
First-party, aggregated analytics (Plausible, Fathom, self-hosted Umami) avoid collecting personal data and do not require cookie consent in most Canadian jurisdictions. They are a real privacy improvement over GA4 for most Edmonton SMBs. GA4 can be configured in privacy-respecting ways, but it takes effort.
Four free steps: 1. Enable MFA on every admin login. 2. Add security headers (use securityheaders.com to check). 3. Turn on Cloudflare or a similar WAF in front of your site. 4. Run npm audit (or your stack's equivalent) and patch high/critical CVEs. These four items address 60–70% of typical risk for the typical Edmonton SMB site.
If you handle any customer data, yes. Canadian cyber insurance typically covers breach response, legal fees, regulatory fines (sometimes), business interruption, and ransomware payments (coverage varies). CAD $1,500–$15,000/year depending on coverage. Required by some enterprise clients as a contract condition.
Signs: unexpected admin users, outbound traffic spikes, changed files you didn't change, slow site or unusual resource consumption, reports of spam from your domain, Google blacklisting your URL. Run a malware scanner (Sucuri SiteCheck, VirusTotal) and check access logs for unusual patterns. If anything is amiss, engage incident response professionally.
If your Edmonton business handles customer data and hasn't had a security review in 12+ months, book a free 30-minute security check-in — we'll identify the top three fixable risks on your site and give you a prioritized list.