Security Checklist
Overview
Use this checklist to reduce obvious frontend and integration security mistakes.
Why It Matters
Security bugs can expose data, sessions, or trust even when the product otherwise works.
Core Concepts
- Do not expose secrets.
- Validate untrusted data.
- Review auth and redirect flows carefully.
Mental Models
Assume anything the browser sees can be inspected or tampered with.
Best Practices
- Keep sensitive logic server-side where possible.
- Sanitize user content.
- Review dependencies and third-party scripts.
Common Mistakes
- Shipping secrets to the client.
- Relying on client checks for protection.
- Ignoring XSS and open redirect risks.
Trade-offs
More security controls can slow development a bit, but they prevent far more expensive mistakes.
Decision Framework
| Risk | Check |
|---|---|
| Secret exposure | Client bundle review |
| Unsafe input | Validation and sanitization |
| Auth flow | Session and redirect behavior |
Examples
- Validate redirect destinations before navigation.
Checklists
- Are secrets excluded from the client?
- Is untrusted input sanitized?
- Are auth and redirect flows reviewed?
Senior Engineer Notes
Senior engineers assume a hostile or curious client environment and design accordingly.