Security & Privacy

When to use

• Storing or reading tokens/credentials/session data.
• Logging user actions, errors, or request context.
• Persisting any user-identifiable data.
• Implementing auth flows or “remember me”.

Steps

1) Classify the data first

Treat as sensitive unless proven otherwise:

• secrets: tokens, API keys, credentials, session IDs
• PII: emails, phones, names, addresses, document numbers
• payloads: request/response bodies may contain secrets or PII