- Never commit secrets, tokens, or private keys
- Use environment variables or secret managers for sensitive values
- Validate and sanitize all untrusted input
- Fail safely on malformed or unexpected input
- Prefer maintained dependencies with clear release history
- Review security advisories before upgrades
- Apply least-privilege access by default
- Keep privileged operations explicit and audited
- Do not log credentials or personal sensitive data
- Log security-relevant events with enough context for investigation