Security-First Development

# Security-First Development

## Input Validation
- Validate ALL user input at the API boundary with Zod schemas.
- Validate on the server even if the client validates too.
- Sanitize HTML output to prevent XSS. Use a library, don't regex.
- Reject unexpected fields (use `z.object().strict()`).
- Limit string lengths, array sizes, and nesting depth.

## Authentication
- Use established auth libraries (Better Auth, NextAuth, Lucia). Never roll your own.
- Store sessions server-side. Use httpOnly, secure, sameSite cookies.
- Implement CSRF protection on all state-changing endpoints.
- Rate-limit login attempts (5 per minute per IP).
- Require re-authentication for sensitive operations (password change, email change).

## Authorization
- Check permissions on every request. Never trust client-side auth state.
- Use middleware for role-based access control.
- Verify resource ownership: `WHERE userId = currentUser.id`.
- Return 404 (not 403) for resources the user shouldn't know exist.

## Secrets
- Never commit secrets to git. Use environment variables.
- Rotate secrets regularly. Support multiple active keys during rotation.
- Use different secrets per environment (dev, staging, prod).
- Audit secret access. Log when secrets are read.

## Headers & Transport
- Set security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options.
- HTTPS everywhere. Redirect HTTP to HTTPS.
- Set appropriate CORS origins. Never use `*` in production.
- Use Subresource Integrity (SRI) for CDN scripts.

## Data Protection
- Hash passwords with bcrypt or argon2. Never MD5 or SHA-256 alone.
- Encrypt sensitive data at rest (PII, tokens, keys).
- Log access to sensitive data for audit trails.
- Implement data retention policies. Delete what you don't need.