Security

14 documents

Authentication

Use OAuth 2.0 / OpenID Connect with PKCE for all public clients. The Implicit flow is

csharpioskotlintypescriptwebwindows

Authorization

**Server-side authorization is the only real authorization.** Client-side checks (hiding

typescriptweb

Content Security Policy

Prevent XSS and injection with a strict CSP. Web apps only.

typescriptweb

CORS

Cross-Origin Resource Sharing — get it right or don't enable it.

web

Dependency Security

Your dependencies are your attack surface. Manage them actively.

pythontypescript

Input Validation

**Never trust client input.** Client-side validation is a UX feature, not a security control.

typescriptweb

LLM red teaming

Adversarially test LLM and agent systems against the OWASP LLM Top 10 and gate releases on a tracked attack-success-rate threshold.

Privacy and security by default

Collect only what is needed. Prefer on-device processing.

kotlinswifttypescript

Secure Storage

Tokens, credentials, and any sensitive data MUST use platform secure storage. Never store secrets in plaintext config...

kotlinswiftwindows

Security Headers Checklist

Every web application should set these response headers:

web

Sensitive Data

Minimize what you collect, encrypt what you keep, never log what you shouldn't.

typescriptweb

Token Handling

Short-lived (5-15 min). Include only necessary claims — no PII in JWTs

kotlintypescriptwebwindows

Transport Security

**TLS 1.2 minimum**, prefer TLS 1.3. Disable TLS 1.0 and 1.1 entirely.

typescriptweb

Vulnerability prioritization by exploitability

Triage CVEs by exploitability — CISA KEV and high EPSS first, deprioritize unreachable transitive findings — not raw CVSS.