Web Security

We treat web security as a core requirement, not an afterthought. Assume hostile input and untrusted environments by default.

Core Principles

• NEVER trust user input
• ALWAYS validate and sanitize data at boundaries
• Prefer secure defaults over configurability

XSS & Injection

• AVOID dangerouslySetInnerHTML and raw HTML injection
• Escape and encode dynamic content properly
• Never interpolate untrusted data into HTML, CSS, or JS contexts
• Ensure SQL injection protection

Authentication & Authorization

• Do not store secrets or tokens in insecure locations
• AVOID localStorage for sensitive credentials when possible
• Use HTTP-only, secure cookies where applicable
• Always enforce authorization on the server

Browser Security APIs

• Respect CORS, CSP, and browser security boundaries
• Use Content Security Policy to restrict script and resource execution
• Avoid inline scripts and styles when CSP is enabled

Data Handling

• Minimize data exposure
• Do not log sensitive information

Dependencies & Supply Chain

• Avoid unnecessary packages
• Treat third-party code as untrusted input

General Principles

• Simplicity reduces attack surface
• If unsure, choose the more restrictive option