web-security

We treat web security as a core requirement, not an afterthought. Assume hostile input and untrusted environments by default.

Core Principles

• NEVER trust user input

• ALWAYS validate and sanitize data at boundaries

• Prefer secure defaults over configurability

XSS & Injection

• AVOID dangerouslySetInnerHTML and raw HTML injection

• Escape and encode dynamic content properly

• Never interpolate untrusted data into HTML, CSS, or JS contexts

• Ensure SQL injection protection

Authentication & Authorization

• Do not store secrets or tokens in insecure locations

• AVOID localStorage for sensitive credentials when possible

• Use HTTP-only, secure cookies where applicable

• Always enforce authorization on the server

Browser Security APIs

• Respect CORS, CSP, and browser security boundaries

• Use Content Security Policy to restrict script and resource execution

• Avoid inline scripts and styles when CSP is enabled

Data Handling

• Minimize data exposure

• Do not log sensitive information

Dependencies & Supply Chain

• Avoid unnecessary packages

• Treat third-party code as untrusted input

General Principles

• Simplicity reduces attack surface

• If unsure, choose the more restrictive option