---
name: security-best-practices
description: Security best practices for backend development, microservices, and secure coding patterns with emphasis on input validation and authentication
---

# Security Best Practices

Apply these security principles when developing backend services, microservices, and any code handling sensitive data or external inputs.

## Input Validation and Sanitization

- Apply input validation and sanitization rigorously, especially on inputs from external sources
- Validate all user inputs at the boundary of your application
- Use allowlists over denylists when validating input
- Sanitize data before storing or displaying to prevent injection attacks
- Implement strict type checking and schema validation

## Authentication and Authorization

- Use secure defaults for JWT, cookies, and configuration settings
- Implement proper token expiration and refresh mechanisms
- Store secrets securely using environment variables or secret management services
- Never hardcode credentials or API keys in source code
- Use secure password hashing algorithms (bcrypt, Argon2)

## Permission Boundaries

- Isolate sensitive operations with clear permission boundaries
- Apply the principle of least privilege throughout the system
- Implement role-based access control (RBAC) where appropriate
- Audit and log access to sensitive resources
- Use separate service accounts for different components

## Resilience and Protection

- Implement retries, exponential backoff, and timeouts on all external calls
- Deploy circuit breakers and rate limiting for service protection
- Consider distributed rate-limiting to prevent abuse across services (e.g., using Redis)
- Implement request throttling to prevent denial of service
- Use connection pooling with appropriate limits

## Secure Configuration

- Use HTTPS/TLS for all network communications
- Configure secure HTTP headers (HSTS, CSP, X-Frame-Options)
- Disable verbose error messages in production
- Keep dependencies updated and scan for vulnerabilities
- Use secure defaults and fail securely

## Error Handling

- Implement comprehensive error handling throughout the application
- Never expose stack traces or internal details to end users
- Log security-relevant events with appropriate detail
- Propagate context appropriately for debugging while maintaining security
- Handle authentication and authorization failures gracefully

## Secrets Management

- Use environment variables or dedicated secrets managers
- Rotate credentials and keys regularly
- Implement proper key management practices
- Avoid logging sensitive information
- Use encryption at rest for sensitive data storage

## SQL Injection Prevention

- Use parameterized queries or prepared statements
- Never concatenate user input into SQL queries
- Use ORM features that automatically escape values
- Validate and sanitize all database inputs
- Limit database user permissions

## Cross-Site Scripting (XSS) Prevention

- Escape all output rendered in HTML
- Use Content Security Policy headers
- Sanitize user-generated content before display
- Use framework-provided escaping functions
- Avoid innerHTML and similar dangerous APIs

## Cross-Site Request Forgery (CSRF) Prevention

- Implement CSRF tokens for state-changing operations
- Verify origin and referer headers
- Use SameSite cookie attribute
- Require re-authentication for sensitive actions
- Implement proper session management

## API Security

- Implement API authentication (JWT, API keys, OAuth)
- Use rate limiting to prevent abuse
- Validate request content types
- Implement request size limits
- Log API access for auditing

## Dependency Security

- Regularly audit dependencies for vulnerabilities
- Use lockfiles to ensure consistent versions
- Remove unused dependencies
- Monitor security advisories for your stack
- Implement automated vulnerability scanning in CI/CD