security-and-hardening
Security and Hardening
Overview
Security-first development practices for web applications. Treat every external input as hostile, every secret as sacred, and every authorization check as mandatory in production and production-like environments. Security isn't a phase — it's a constraint on every line of code that touches real user data, authentication, or external systems.
Use strict security defaults for production. Apply the same defaults to staging when it is public, handles production-like data, connects to shared services, or validates production behavior. Local development may use lighter settings when they are isolated, explicit, and cannot accidentally ship as deployed defaults.
Overrides
These are default rules, not immutable law. Explicit user instructions, project policy, or feature-specific design docs may override this guidance, such as allowing secret logging in DEBUG mode or showing stack traces in production. When an override exists, follow it deliberately, keep it scoped to the stated context, and avoid expanding it to unrelated code.