Security

Use OAuth 2.0 / OpenID Connect with PKCE for all public clients. The Implicit flow is

**Server-side authorization is the only real authorization.** Client-side checks (hiding

Prevent XSS and injection with a strict CSP. Web apps only.

Cross-Origin Resource Sharing — get it right or don't enable it.

Your dependencies are your attack surface. Manage them actively.

**Never trust client input.** Client-side validation is a UX feature, not a security control.

Collect only what is needed. Prefer on-device processing.

1. [OWASP Top 10 (2021)](https://owasp.org/www-project-top-ten/)

Tokens, credentials, and any sensitive data MUST use platform secure storage. Never store secrets in plaintext config...

Every web application should set these response headers:

Minimize what you collect, encrypt what you keep, never log what you shouldn't.

Short-lived (5-15 min). Include only necessary claims — no PII in JWTs

**TLS 1.2 minimum**, prefer TLS 1.3. Disable TLS 1.0 and 1.1 entirely.