Update docs/Security-Focused-Guide-for-AI-Code-Assistant-Instructions.md

Co-authored-by: Copilot <[email protected]>
Signed-off-by: Avishay Balter <[email protected]>

Author: balteravishay

docs/Security-Focused-Guide-for-AI-Code-Assistant-Instructions.md

@@ -24,7 +24,7 @@ One of the first sections in your instructions should reinforce general secure c
 * **Input Validation & Output Encoding:** Instruct the AI to treat all external inputs as untrusted and to validate them. *Example: "user inputs should be checked for expected format and length*". Any output should be properly encoded to prevent injection attacks such as SQL injection or cross-site scripting (XSS). *Example: "Always validate function arguments and use parameterized queries for database access"* and *"Escape special characters in user-generated content before rendering it in HTML"*. Similarly, specify that when generating output contexts such as HTML or SQL, the assistant should use safe frameworks or encoding functions to avoid vulnerabilities. [[8]](#8) [[9]](#9) [[10]](#10)
 * **Authentication, Authorization & Secrets Management:** Emphasize that credentials and sensitive tokens must never be hard-coded or exposed. Your instructions can say: *"Never include API keys, passwords, or secrets in code output, and use environment variables or secure vault references instead"*. Also instruct the AI to use secure authentication flows (for instance, using industry-standard libraries for handling passwords or tokens) and to enforce role-based access checks where appropriate. [[11]](#11) [[12]](#12) [[13]](#13)
 * **Error Handling & Logging:** Guide the AI to implement errors securely by catching exceptions and failures without revealing sensitive info (stack traces, server paths, etc.) to the end-user. In your instructions, you might include: *"When generating code, handle errors gracefully and log them, but do not expose internal details or secrets in error messages".* This ensures the assistant's suggestions include secure error-handling patterns (like generic user-facing messages and detailed logs only on the server side). Additionally, instruct the AI to use logging frameworks that can be configured for security (e.g. avoiding logging of personal data or secrets).  [[14]](#14)
-* **Secure Defaults & Configurations:** Include guidance such as: *"Prefer safe defaults in configurations – for example, use HTTPS by default, require strong encryption algorithms, and disable insecure protocols or options".* By specifying this, the AI will be more likely to generate code that opts-in to security features. Always instruct the AI to follow the principle of least privilege (e.g. minimal file system permissions, least-privileged user accounts for services, etc.) in any configuration or code it proposes. [[13]](#15) [[14]](#16)
+* **Secure Defaults & Configurations:** Include guidance such as: *"Prefer safe defaults in configurations – for example, use HTTPS by default, require strong encryption algorithms, and disable insecure protocols or options".* By specifying this, the AI will be more likely to generate code that opts-in to security features. Always instruct the AI to follow the principle of least privilege (e.g. minimal file system permissions, least-privileged user accounts for services, etc.) in any configuration or code it proposes. [[15]](#15) [[16]](#16)
 * **Testing for Security:** Encourage the AI to produce or suggest tests for critical code paths including negative tests that verify that what shouldn't happen, doesn't happen. In your instructions, add: *"When applicable, generate unit tests for security-critical functions (including negative tests to ensure the code fails safely)"*. [[17]](#17) [[18]](#18)
 * **Call out and review stubbed code:** If the AI generates code that is stubbed or incomplete, instruct it to flag these areas for review. For example: *"If you generate placeholder code (e.g., `TODO` comments), ensure it is marked for security review before deployment".* This will help ensure that any incomplete code does not inadvertently introduce vulnerabilities. [[19]](#19) [[20]](#20)
 * **Data Protection:** When generating code, always prioritize data minimization and avoid storing or processing confidential or otherwise sensitive information (like personal data - PII) unless absolutely necessary. For that case, suggest strong encryption at rest and in transit, and recommend techniques like anonymization. For example: *"Generate a function that securely handles user input for a registration form, asking for necessary fields to avoid logging sensitive information of PII. Ensure that no sensitive or PII is stored in plaintext"*. [[21]](#21)