# Skill 16 - Security, Reliability, and Performance

## Security Rules

- Never store secrets in source code.
- Use user secrets for local development and a secret manager in production.
- Validate all external input.
- Encode output according to context.
- Use parameterized queries or EF Core LINQ, never string-concatenated SQL with untrusted input.
- Use HTTPS and secure cookies for web apps.
- Apply authentication and authorization at server boundaries.
- Keep dependencies and runtimes patched.

## Reliability Rules

- Use structured logging.
- Include correlation/request IDs when available.
- Use cancellation tokens for I/O and long-running operations.
- Add retries only for transient failures and only when operations are safe to retry.
- Use timeouts for external calls.
- Handle partial failure explicitly.
- Use health checks for hosted services.

## Performance Rules

- Measure before optimizing.
- Avoid needless allocations in hot paths.
- Stream large payloads.
- Use async I/O on servers.
- Page large query results.
- Avoid N+1 database calls.
- Cache only when invalidation is understood.
- Prefer compiled/generated regex and source-generated JSON for hot paths.

## Cross-Platform Rules

- Use `Path` APIs for filesystem paths.
- Respect case-sensitive filesystems.
- Avoid Windows-only assumptions unless the target is Windows-only.
- Test on Linux when deploying to Linux.