# Security Basics

Security discipline that blocks the common attack surface.

## Rules

1. **Input validation at the boundary.** Parse, validate, and sanitize every input at the entry point. Not in the handler, not in the service, at the boundary. Everything past the boundary is trusted.

2. **Secrets in environment variables, never in code.** API keys, database passwords, signing secrets — if it's in source control, it's compromised. Environment variables or secret managers only.

3. **Principle of least privilege.** Database users get the minimum permissions needed. API tokens get the minimum scopes needed. Service accounts get the minimum access needed. If it's not needed, it's not granted.

4. **HTTPS everywhere.** No exceptions. No mixed content. No "just for development." The network is hostile. Act like it.

5. **Rate limit by default.** Every public endpoint gets rate limiting. No "we'll add it later." Later never comes until you're getting abused.

6. **Log auth events, nothing else.** Login, logout, failed attempts, permission changes. Don't log request bodies, passwords, or tokens. Logs are read by everyone with access — treat them as public.

## What This Replaces

"Security later" thinking. The basics are not optional and they're not hard. They're just discipline.