encrypt in transit and at rest sanitize all user inputs or any input parameters exposed to user to prevent XSS and SQL injection use parameterized queries to prevent SQL injection use the principle of least privilege security auth