basic-security.md

• Make sure we're not storing any sensitive data in the frontend
• Use an established library for authentication
• Protect against SQL injection by using parameterized queries
• Ensure we're sanitizing any user-generated content to prevent XSS
• Implement CSRF protection for all forms and state-changing requests
• Set up proper security headers using an established library
• Validate all input with a proper schema validation library
• Implement proper error handling and logging, without exposing details to users
• Add rate limiting, especially on sensitive endpoints like login
• Use HTTPS for all connections and implement proper certificate validation
• Implement secure password storage with strong hashing algorithms and salting
• Set secure and SameSite cookies with proper expiration policies
• Use Content Security Policy (CSP) to prevent unauthorized script execution
• Implement proper access control checks on all API endpoints
• Avoid using eval() or similar functions that execute dynamic code
• Implement secure session management with proper timeout and rotation
• Use prepared statements or ORMs for database access to prevent injection attacks
• Validate and sanitize URL redirects to prevent open redirect vulnerabilities
• Implement secure file upload handling with type validation and size limits
• Use secure random number generation for security-critical operations
• Add multi-factor authentication for sensitive operations or admin access