- All external links use rel="noopener noreferrer" when target="_blank"
- User input is validated and sanitized (search, filters, forms)
- Dependencies are regularly audited (see CI)
- No secrets or credentials are committed to the repo
- Data files are checked for consistency and correctness
- Error boundaries are used for critical UI components
- All forms use proper CSRF and XSS protections (where applicable)
- Security policy is documented in SECURITY.md