Secure Coding Practices

Building Secure Applications

Security should be considered at every stage of development, not added as an afterthought.

Input Validation

• Validate on server-side (never trust client)
• Use allowlists over blocklists
• Validate type, length, format, range
• Use validation libraries (Zod, Yup)

import { z } from 'zod';

const userSchema = z.object({
  email: z.string().email(),
  age: z.number().min(0).max(150)
});

Secret Management

• Never commit secrets to Git
• Use environment variables
• Use secret managers (Vault, AWS Secrets)
• Rotate secrets regularly

Cryptography

• Use proven libraries (don't roll your own)
• bcrypt or Argon2 for passwords
• AES-256-GCM for encryption
• TLS 1.3 for transport

Security Scanning

• SAST: Static code analysis
• DAST: Runtime testing
• SCA: Dependency scanning