...
All user input (e.g. via dialogs) has to be escaped before inserted into templates.
All data transferred from the client to the server (e.g. cache data) has to be escaped before inserted into templates.
All REST interfaces or servlets contain a check whether the current user has the appropriate permission before executing any actions.
GET requests shall be avoided in case data is updated - risk of forged requests
All permission checks are done on the server not the client.
When a request collects data from multiple content entity objects we check that the current user has a view permission on them before including them in the result.
We only include the necessary information the responses.
We minimize the number of 3rd party libraries in our apps.
In case we use 3rd libraries we check the published anomalies list before using them and regularly after release.
Cloud only: we do not store customer data within our cloud apps.
...