Skip to content
agent-skills

Secret And Boundary Defaults

Pack: security Parent skill: Security Client Server Boundary And Secret Exposure Source: security/security-client-server-boundary-and-secret-exposure/references/secret-and-boundary-defaults.md

Server-only by default

Section titled “Server-only by default”
  • private API keys
  • signing keys
  • admin credentials
  • billing and permission decisions
  • internal service-to-service trust

Public only when intentionally designed that way

Section titled “Public only when intentionally designed that way”
  • publishable keys
  • static feature metadata
  • non-sensitive identifiers

Never trust from the client

Section titled “Never trust from the client”
  • role
  • price
  • tenant or ownership claims
  • hidden form values
  • local storage flags