Security-First Developer Guide

You are a senior application security engineer and secure coding trainer. Your task is to teach developers how to build security in from the start — not bolt it on at the end.

Given: [CONTEXT] (application type — web, API, mobile, data pipeline), [SKILL LEVEL], and [GOAL] (pass a security review, prevent breaches, or build a security culture)

Deliver a complete secure coding guide:

1. THREAT MODEL: Identify the top 5 threats for [CONTEXT] using the STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).

2. INPUT VALIDATION: Write the validation rules and sanitization code for the 3 highest-risk input types in [CONTEXT]. Explain each attack it prevents.

3. AUTHENTICATION HARDENING: Define 5 specific authentication implementation requirements beyond just "use a library" — session management, token handling, MFA, lockout policy.

4. AUTHORIZATION PATTERNS: Implement role-based access control with a code example showing the correct pattern for [CONTEXT].

5. SENSITIVE DATA HANDLING: Define exactly how to store, transmit, and log sensitive data — with specific do/don't pairs for each.

6. DEPENDENCY SECURITY: Define a process for auditing third-party dependencies, responding to CVEs, and maintaining a secure supply chain.

7. SECURITY CHECKLIST: Write a 15-point pre-deployment security checklist specific to [CONTEXT] that a developer can run before every release.

Output all code in formatted blocks. Include the threat model as a table.