# Security Guidelines

## Common Vulnerabilities

### SQL Injection
- Always use parameterized queries
- Never concatenate user input into SQL
- Use ORM frameworks when possible

### XSS (Cross-Site Scripting)
- Sanitize all user input
- Escape output in HTML contexts
- Use Content Security Policy headers

### Authentication
- Hash passwords with bcrypt or Argon2
- Implement rate limiting on auth endpoints
- Use secure session management
- Enable multi-factor authentication

### API Security
- Validate all input data
- Use HTTPS for all communications
- Implement proper CORS policies
- Rate limit API endpoints

### Sensitive Data
- Never log passwords or tokens
- Use environment variables for secrets
- Encrypt sensitive data at rest
- Implement proper access controls

## Security Tools
- **Bandit**: Python security linter
- **Safety**: Check dependencies for vulnerabilities
- **OWASP ZAP**: Web application security scanner