Use payment processor (Stripe), tokenization, network segmentation
Anti-Patterns
Anti-Pattern
Fix
Security as afterthought
Integrate from design phase
Client-side authorization
Always verify permissions server-side
Trusting client data (e.g., userId from body)
Get user ID from authenticated session
Rolling your own crypto
Use proven libraries (argon2, bcrypt, libsodium)
Compliance = security
Compliance is the minimum; security is ongoing
Verbose error responses
Generic messages to clients, details server-side
Common Mistakes
Mistake
Correct Pattern
Performing authorization checks only on the client side
Always verify permissions server-side; client checks are UX only
Trusting user-supplied IDs from request body (e.g., userId)
Derive user identity from the authenticated session or token
Rolling custom cryptography instead of using proven libraries
Use argon2id, bcrypt, or libsodium for all cryptographic operations
Treating compliance certification as equivalent to security
Compliance is the minimum bar; security requires ongoing review
Returning verbose error messages with stack traces to clients
Show generic messages to clients; log details server-side only
Delegation
Scan codebase for OWASP Top 10 vulnerabilities and insecure patterns: Use Explore agent to search for SQL injection, XSS, and hardcoded secrets
Implement authentication, authorization, and security headers end-to-end: Use Task agent to configure JWT, RBAC, CSP, HSTS, and rate limiting
Design a threat model and security architecture for new features: Use Plan agent to apply STRIDE methodology and map trust boundaries
For database-layer security (RLS policies, Postgres/Supabase hardening, audit trails), use the database-security skill. For AI/LLM security (prompt injection defense, agentic zero-trust, MCP tool hardening), use the secure-ai skill.