security-practices
Quick Start
- •All secrets in environment variables (never in config files)
- •Validate inputs at system boundaries
- •Sanitize error responses (no stack traces in production)
- •Use HTTPS for all external connections
Key Principles
- •Environment variables for all secrets
- •SSRF prevention (block internal IP ranges)
- •Development vs Production mode separation
- •Rigorous input validation
References
See rules.md for complete conventions.