- Validate all inputs (length, type, format).
- Reject by default, allow only safe values.
- Use whitelisting instead of blacklisting.
- Enforce strong password policies.
- Store passwords using Argon2/bcrypt/scrypt.
- Enable MFA.
- Prevent brute force with rate limiting.
- Enforce least privilege.
- Use role-based or attribute-based access control.
- Re-check authorization on every request.
- No stack traces or sensitive info in responses.
- Log errors securely.
- Encrypt sensitive data at rest and in transit.
- Use TLS 1.2+ only.
- Rotate keys regularly.
- Maintain SBOM.
- Automate dependency updates.
- Scan with SCA tools.