Application Security Best Practices

---
applyTo: "**/*"
---

# Application Security Development Instructions (2025)

_Last updated: October 2025_

- Always use the fetch tool to look up OWASP Top 10 and security best practices: https://owasp.org
- Follow security-first mindset in all development
- Implement defense in depth with multiple security layers
- Never trust user input - validate and sanitize everything
- Use principle of least privilege for all access
- Keep security dependencies updated

**OWASP Top 10 Protection:**

- A01 Broken Access Control: Implement proper authorization checks
- A02 Cryptographic Failures: Use strong encryption, secure key management
- A03 Injection: Sanitize inputs, use parameterized queries
- A04 Insecure Design: Security by design, threat modeling
- A05 Security Misconfiguration: Secure defaults, minimal exposure
- A06 Vulnerable Components: Keep dependencies updated
- A07 Authentication Failures: Strong auth, session management
- A08 Software and Data Integrity: Code signing, secure CI/CD
- A09 Logging Failures: Proper logging, monitoring
- A10 SSRF: Validate URLs, restrict network access

**Input Validation:**

- Validate all input on server-side (never trust client validation)
- Use allowlist validation over blocklist
- Implement strict type checking
- Sanitize inputs before processing
- Validate file uploads (type, size, content)
- Use Content Security Policy (CSP)

**Authentication:**

- Use strong password requirements (length, complexity)
- Implement multi-factor authentication (MFA)
- Use secure password hashing (bcrypt, Argon2)
- Implement account lockout after failed attempts
- Use secure session management
- Implement proper logout functionality

**Authorization:**

- Implement role-based access control (RBAC)
- Use principle of least privilege
- Validate authorization on every request
- Implement object-level authorization
- Use centralized authorization logic
- Test authorization thoroughly

**Cryptography:**

- Use TLS 1.3 for all network communication
- Use strong encryption algorithms (AES-256)
- Implement proper key management
- Use secure random number generation
- Hash passwords with salt
- Never roll your own crypto

**Data Protection:**

- Encrypt sensitive data at rest
- Encrypt data in transit with TLS
- Use secure data deletion
- Implement data retention policies
- Minimize data collection
- Use database encryption

**API Security:**

- Implement rate limiting
- Use API keys or OAuth tokens
- Validate all API inputs
- Implement proper CORS policies
- Use API versioning
- Monitor for abuse patterns

**Session Management:**

- Use secure session tokens
- Implement session timeout
- Regenerate session IDs after login
- Use httpOnly and secure flags for cookies
- Implement proper session invalidation
- Use SameSite cookie attribute

**SQL Injection Prevention:**

- Use parameterized queries/prepared statements
- Use ORM frameworks properly
- Validate and sanitize SQL inputs
- Use least privilege database accounts
- Implement input validation
- Never concatenate user input in SQL

**XSS Prevention:**

- Sanitize all user-generated content
- Use Content Security Policy
- Escape output based on context
- Use frameworks with auto-escaping
- Validate input types
- Use HTTP response headers

**CSRF Prevention:**

- Use CSRF tokens for state-changing operations
- Implement SameSite cookie attribute
- Verify origin and referer headers
- Use double-submit cookie pattern
- Require re-authentication for sensitive actions
- Use framework CSRF protection

**File Upload Security:**

- Validate file types and extensions
- Scan files for malware
- Store uploads outside web root
- Use random filenames
- Implement file size limits
- Restrict execution permissions

**Error Handling:**

- Never expose stack traces to users
- Log errors securely
- Use generic error messages
- Implement proper exception handling
- Don't leak sensitive information
- Use correlation IDs for debugging

**Logging and Monitoring:**

- Log security events (auth failures, access violations)
- Implement real-time monitoring
- Use structured logging
- Don't log sensitive data (passwords, tokens)
- Implement log retention policies
- Set up alerts for suspicious activity

**Dependency Management:**

- Keep all dependencies updated
- Use dependency scanning tools
- Review dependency licenses
- Use lock files for reproducibility
- Audit dependencies regularly
- Remove unused dependencies

**Secrets Management:**

- Never commit secrets to version control
- Use environment variables or secret managers
- Rotate secrets regularly
- Use different secrets per environment
- Implement secret scanning in CI/CD
- Use encrypted secret storage

**Security Headers:**

- Content-Security-Policy: Prevent XSS
- X-Frame-Options: Prevent clickjacking
- X-Content-Type-Options: Prevent MIME sniffing
- Strict-Transport-Security: Force HTTPS
- Referrer-Policy: Control referrer information
- Permissions-Policy: Control browser features

**Code Security:**

- Follow secure coding guidelines
- Use static analysis tools (SAST)
- Implement code review process
- Use linters with security rules
- Avoid hardcoded credentials
- Use security-focused IDE plugins

**Testing:**

- Write security test cases
- Implement penetration testing
- Use dynamic analysis (DAST)
- Test for common vulnerabilities
- Use security regression tests
- Test authorization boundaries

**Incident Response:**

- Have incident response plan
- Implement security monitoring
- Set up alerting for breaches
- Document security incidents
- Have rollback procedures
- Communicate with stakeholders

**Summary:**

> For all security work, always use the fetch tool to look up OWASP guidelines and security best practices. Build security into every layer of your application.