Security Best Practices

Apply these security principles when developing backend services, microservices, and any code handling sensitive data or external inputs.

Input Validation and Sanitization

• Apply input validation and sanitization rigorously, especially on inputs from external sources
• Validate all user inputs at the boundary of your application
• Use allowlists over denylists when validating input
• Sanitize data before storing or displaying to prevent injection attacks
• Implement strict type checking and schema validation

Authentication and Authorization

• Use secure defaults for JWT, cookies, and configuration settings
• Implement proper token expiration and refresh mechanisms
• Store secrets securely using environment variables or secret management services
• Never hardcode credentials or API keys in source code
• Use secure password hashing algorithms (bcrypt, Argon2)