Security

21 documents

Agent guardrails

Wrap agents in deterministic input/output guardrails, least-privilege tool access, human confirmation for irreversible actions, and a kill switch.

Authentication

Use OAuth 2.0 / OpenID Connect with PKCE for all public clients. The Implicit flow is

csharpioskotlintypescriptwebwindows

Authorization

**Server-side authorization is the only real authorization.** Client-side checks (hiding

typescriptweb

Consent management

Capture granular, versioned, withdrawable consent in an auditable log and gate all non-essential processing on it.

Content Security Policy

Prevent XSS and injection with a strict CSP. Web apps only.

typescriptweb

CORS

Cross-Origin Resource Sharing — get it right or don't enable it.

web

Data subject rights (DSAR)

Architect every personal-data store to be enumerable, exportable, and deletable by subject id so DSARs are satisfied within the legal SLA.

Dependency Security

Your dependencies are your attack surface. Manage them actively.

pythontypescript

Input Validation

**Never trust client input.** Client-side validation is a UX feature, not a security control.

typescriptweb

LLM and agentic application security

Treat all model output as untrusted, defend against direct and indirect prompt injection, and constrain tool agency.

MCP server security

Harden MCP servers against tool poisoning, rug-pulls, token passthrough, confused-deputy, session hijacking, and SSRF.

MCP tool input validation

Treat every MCP tool argument as untrusted model-supplied input: schema-validate, authorize per call, and bound resource access.

Passkeys and WebAuthn

Implement phishing-resistant passwordless auth with passkeys/WebAuthn, prefer them over passwords and SMS-OTP, and plan recovery.

PII handling and classification

Classify PII at the schema level, minimize collection, encrypt at rest and in transit, and never write it to logs.

Privacy and security by default

Collect only what is needed. Prefer on-device processing.

kotlinswifttypescript

Secure Storage

Tokens, credentials, and any sensitive data MUST use platform secure storage. Never store secrets in plaintext config...

kotlinswiftwindows

Security Headers Checklist

Every web application should set these response headers:

web

Sender-constrained access tokens

Bind access tokens to the client with DPoP or mTLS so a stolen token cannot be replayed by another party.

Sensitive Data

Minimize what you collect, encrypt what you keep, never log what you shouldn't.

typescriptweb

Token Handling

Short-lived (5-15 min). Include only necessary claims — no PII in JWTs

kotlintypescriptwebwindows

Transport Security

**TLS 1.2 minimum**, prefer TLS 1.3. Disable TLS 1.0 and 1.1 entirely.

typescriptweb