General guidelines for security
-------------------------------

**NOTE**: This is still WIP

* **Use chroot**: Where ever possible, use `chroot` after initialization. After chroot, one must `chdir` to `/` and drop privileges to an unprivileged user.

* **Sanitize inputs**: Inputs must always be treated as untrusted; and must always be santized. Do not fire a database query, or perform any resource consuming operations unless all the inputs are valid. Handle any potential sql/no-sql and command injections.

* **API response**: Any API should nevre reveal any unnessary information if the user is not authenticated/authorized to. Even the error messages should be carefully constructed not to leak any unnessary information. 

* **Rate limiting**: All APIs especially the ones requiring authentication/authorization must be rate limited.

* **Disable debugging information in production**: Enabling debugging information in production will help an attacker to figure out the status of an attack. It should be disabled.