-
Notifications
You must be signed in to change notification settings - Fork 0
Security Guide
Karthik edited this page Mar 1, 2026
·
1 revision
- Never commit secrets, credentials, or private keys.
- Use environment templates and secret managers.
- Rotate and scope API keys/tokens.
- Follow least-privilege IAM and role separation.
- Cognito-backed authentication
- Group/role-driven authorization checks
- Server-side validation for privileged operations
- Validate all external inputs
- Log security-relevant events with context
- Review dependency and configuration drift
- Run secret scanning before pushes
- Validate CORS, auth headers, and token handling
- Audit sensitive routes and admin-only actions
- Revoke leaked credentials immediately
- Rotate affected keys and invalidate sessions
- Document impact, timeline, and remediation actions
Last updated: 2026-03-01