- Never log secrets, tokens, or credentials
- Validate and sanitize all external input
- Use environment variables for secrets, never hardcode
- Principle of least privilege
- Verify authorization at every entry point
- Keep dependencies minimal and audited
- Pin versions for reproducible builds