1. The edge is never a security boundary Authenticate and authorize close to the data on every request; middleware, proxies, gateways, and UI gating are UX and can all be skipped.
2. Validate at every trust boundary — parse, don't assume Types vanish at runtime, so schema-validate every input where it crosses a boundary before using it.
3. Secrets are server-side only Inject secrets from the environment; keep them out of client bundles, shipped binaries, and version control, and rotate anything ever committed.
4. Fail closed Default to deny, so an unhandled path refuses access rather than granting it.
5. Least privilege everywhere Grant the narrowest keys, roles, tokens, scopes, and CI permissions; if you need an admin or bypass credential to make something work, fix the policy instead.
6. Defense in depth Protect anything that matters with two independent controls, such as app-layer authz and a row-level DB policy, since one control is one bug from a breach.
7. Don't leak existence Keep responses and timing uniform on auth flows so accounts can never be enumerated.
8. Never trust the client Treat every form field as attacker-controlled and let the server decide; confirm identifiers like email or phone with an out-of-band code.
architecture
9. Right tool for the right layer Use each component for its own job: a cache is not a database, a rate-limiter is not auth, a queue is not a log.
10. Smallest reversible change Make the smallest change you can undo, and flag sensitive guesses with a TODO(opsec)/TODO(perf) marker instead of silently deciding.
11. Boilerplate is copied, not generated Copy deterministic boilerplate for the routine 80% and reserve generation for the bespoke 20%.
12. Private by default Return the minimum surface and the fewest fields the caller actually needs.
process-enforcement
13. A practice not gated by CI is a wish Make machine-checkable rules fail the build and judgment calls a PR checklist; nothing critical lives in prose alone.
14. Patch cadence is a control Pin exact versions, track the upstream security feed, and virtual-patch at the edge between disclosure and deploy.
15. The spec is source of truth Adapt the spec rather than rewriting it, and question a baseline that looks wrong instead of silently regenerating it.
16. Observability before scale You can't secure or fix what you can't see, so add structured logs first — and never log secrets or PII.
17. Standardization is also an attack surface A template cloned many times becomes identical, fingerprintable targets, so harden the baseline: strip version banners, parameterize predictable admin/debug routes, and never bake in a placeholder secret.
air-gap-operations
18. Air-gap the tiers Keep frontend and backend as separate repos, deploys, and credentials whose only contract is a versioned HTTP API and a bearer token — no shared code or database client.
19. Every privileged domain gets its own adversarial review pass Review each privileged domain — auth, payments, RLS, service keys, env vars — in isolation by a reviewer whose only posture is suspicion, never in one 'looks good' sweep.
20. Security audits are scheduled and unattended A pipeline runs the full security audit on a fixed, configurable cadence with no human trigger, and on every auth, route, table, or dependency change.
21. Admin identity is fully separate from user identity Give admins a separate identity pool with stricter MFA, shorter TTL, and narrower scopes; they never share an auth config with users.
22. Ship the failure modes, not just the happy path Every feature ships with its inversion documented — how it breaks, how to reproduce it, and why this design over the alternative; undocumented means unfinished.
23. You must be able to rebuild from zero Keep tested restores, exports, bootstrap scripts, and secret rotation under 30 minutes; an untested backup is not a backup and an unrun runbook is fiction.
24. One house style, enforced by the formatter Encode naming, casing, import order, and type conventions in the formatter and linter config so the build enforces one house style and no one argues about it in review.