Security-First Development

Input Validation

• Validate ALL user inputs server-side
• Use zod schemas for runtime validation
• Sanitize HTML output to prevent XSS
• Parameterize all SQL queries

Authentication

• Use httpOnly, secure, sameSite cookies
• Implement CSRF protection
• Rate limit all auth endpoints
• Hash passwords with bcrypt (min 12 rounds)
• Session timeout after 30 minutes of inactivity

API Security

• All endpoints require authentication unless explicitly public
• Implement request rate limiting
• Use CORS with specific origins only
• Validate Content-Type headers
• Log all failed auth attempts

Secrets

• NEVER hardcode secrets
• Use environment variables
• Rotate keys quarterly
• Different keys per environment

Dependencies

• Audit npm packages weekly
• No packages with known vulnerabilities
• Pin exact versions
• Review changelogs before updates