Security and Robustness

Security in Norscode is mostly about reducing trust at system boundaries. Validate external input early, separate authentication from authorisation, keep secrets out of source files and avoid exposing internal details through error responses or logs.

Validate before business logic

Good validation stops bad requests before they become stored data, noisy logs or surprising failures later in the request flow.

hvis method != "POST" da {
    returner web.http_typed_input_feil_respons("method", "POST", "kun POST", method)
}

Type checks alone are rarely enough. Useful validation also asks whether values are empty, too long, outside a supported set or dangerous to pass further into the system.

Identity and privilege

Authentication answers who the caller is. Authorisation answers what they are allowed to do. Keep those as separate checks. An authenticated user should not automatically be trusted with administrative actions, sensitive reads or destructive writes.

Errors, secrets and logging

Security improves when clients receive stable, masked errors while operators still have access to detailed internal logs. That keeps the system observable without turning every failure into a leak of internal structure. The same principle applies to secrets: tokens, keys and passwords belong in controlled configuration, not in templates, examples or verbose logs.

Once these basics are in place, the most useful follow-up chapters are integrations, logging and reliability.