donvito · April 26, 2025 03:58
diff --git a/security-coding-practices.mdc b/security-coding-practices.mdc
 # Secure Coding Practices

 ## Input Validation

 - Always validate user input on both client and server sides
 - Never trust client-side validation alone
 - Use validation libraries appropriate for your framework (e.g., Zod, Joi, Yup)

 ## Prevent SQL Injection

 - Use parameterized queries or prepared statements
 - Never concatenate user input directly into SQL queries
 - Use ORM libraries (Prisma, Sequelize, TypeORM) which help prevent SQL injection

 ## Prevent XSS (Cross-Site Scripting)

 - Sanitize user-generated content before rendering
 - Use framework-provided escaping mechanisms
 - Consider Content Security Policy (CSP) headers

 ## Authentication Best Practices

 - Store only hashed passwords, never plaintext
 - Use strong hashing algorithms (bcrypt, Argon2) with appropriate work factors
 - Implement proper session management
 - Consider using OAuth or other established authentication frameworks

 ## Authorization Controls

 - Implement proper access controls
 - Validate permissions on the server for every request
 - Don't rely on hiding UI elements for security

 ## Security Headers

 - Implement appropriate security headers
 - Use HTTPS for all communications
 - Set proper CORS policies

 ## Dependency Management

 - Regularly update dependencies
 - Use tools like `npm audit` to check for vulnerabilities
 - Remove unused dependencies

 ## Error Handling

 - Implement proper error handling
 - Don't expose sensitive information in error messages
 - Log errors securely without exposing sensitive data

 ## API Security

 - Rate limit API endpoints
 - Implement proper authentication for APIs
 - Use HTTPS for all API communications
diff --git a/security-secrets.mdc b/security-secrets.mdc
 # Secrets Management Best Practices

 ## Never Include Secrets in Code

 - **NEVER** hardcode passwords, API keys, access tokens, or other secrets directly in source code
 - Secrets in code are vulnerable to accidental exposure through version control
 - Even in private repositories, secrets in code are a security risk

 ## Use Environment Variables

 - Store sensitive information in environment variables
 - Access environment variables in code instead of hardcoding values
 - For Next.js projects, use `.env.local` for local development

 Example of correct usage:
 ```javascript
 // Good practice
 const apiKey = process.env.API_KEY;
 ```

 Example of what to avoid:
 ```javascript
 // BAD PRACTICE - Never do this!
 const apiKey = "sk_live_51HCO..."; 
 ```

 ## Environment Files Management

 - Use `.env` files for environment variables
 - ALWAYS add `.env*` files to `.gitignore` (except `.env.example`)
 - Provide a `.env.example` file with the structure but NO real values

 ## Secret Management Services

 - Consider using secret management services for production
 - Options include AWS Secrets Manager, Google Secret Manager, or Vercel Environment Variables
 - These services provide secure storage and access control for secrets

 ## Client-Side Security

 - Never expose sensitive API keys in client-side code
 - Use server-side routes or serverless functions to make authenticated API calls
 - Remember that anything in the browser can be viewed by users

 ## Credential Rotation

 - Rotate credentials regularly
 - Implement procedures for credential revocation and rotation
 - Have a plan for handling compromised credentials
	# Secure Coding Practices

	## Input Validation

	- Always validate user input on both client and server sides
	- Never trust client-side validation alone
	- Use validation libraries appropriate for your framework (e.g., Zod, Joi, Yup)

	## Prevent SQL Injection

	- Use parameterized queries or prepared statements
	- Never concatenate user input directly into SQL queries
	- Use ORM libraries (Prisma, Sequelize, TypeORM) which help prevent SQL injection

	## Prevent XSS (Cross-Site Scripting)

	- Sanitize user-generated content before rendering
	- Use framework-provided escaping mechanisms
	- Consider Content Security Policy (CSP) headers

	## Authentication Best Practices

	- Store only hashed passwords, never plaintext
	- Use strong hashing algorithms (bcrypt, Argon2) with appropriate work factors
	- Implement proper session management
	- Consider using OAuth or other established authentication frameworks

	## Authorization Controls

	- Implement proper access controls
	- Validate permissions on the server for every request
	- Don't rely on hiding UI elements for security

	## Security Headers

	- Implement appropriate security headers
	- Use HTTPS for all communications
	- Set proper CORS policies

	## Dependency Management

	- Regularly update dependencies
	- Use tools like `npm audit` to check for vulnerabilities
	- Remove unused dependencies

	## Error Handling

	- Implement proper error handling
	- Don't expose sensitive information in error messages
	- Log errors securely without exposing sensitive data

	## API Security

	- Rate limit API endpoints
	- Implement proper authentication for APIs
	- Use HTTPS for all API communications
	# Secrets Management Best Practices

	## Never Include Secrets in Code

	- NEVER hardcode passwords, API keys, access tokens, or other secrets directly in source code
	- Secrets in code are vulnerable to accidental exposure through version control
	- Even in private repositories, secrets in code are a security risk

	## Use Environment Variables

	- Store sensitive information in environment variables
	- Access environment variables in code instead of hardcoding values
	- For Next.js projects, use `.env.local` for local development

	Example of correct usage:
	```javascript
	// Good practice
	const apiKey = process.env.API_KEY;
	```

	Example of what to avoid:
	```javascript
	// BAD PRACTICE - Never do this!
	const apiKey = "sk_live_51HCO...";
	```

	## Environment Files Management

	- Use `.env` files for environment variables
	- ALWAYS add `.env*` files to `.gitignore` (except `.env.example`)
	- Provide a `.env.example` file with the structure but NO real values

	## Secret Management Services

	- Consider using secret management services for production
	- Options include AWS Secrets Manager, Google Secret Manager, or Vercel Environment Variables
	- These services provide secure storage and access control for secrets

	## Client-Side Security

	- Never expose sensitive API keys in client-side code
	- Use server-side routes or serverless functions to make authenticated API calls
	- Remember that anything in the browser can be viewed by users

	## Credential Rotation

	- Rotate credentials regularly
	- Implement procedures for credential revocation and rotation
	- Have a plan for handling compromised credentials