- Validasi input di boundary layer (form + API client).
- Escape output yang dirender dinamis.
- Jangan percaya payload dari external API mentah.
Auth / Session
- Gunakan cookie/session policy yang konsisten.
- Separate guest routes from protected routes.
- Enforce auth check di server/component boundary.
Secrets & Config
- Secrets must be managed via env/secret manager.
- Dilarang hardcode token/API key.
- Pisahkan env per environment (dev/staging/prod).
Dependency Hygiene
- Jalankan audit dependency berkala.
- Patch CVE high/critical secepatnya.