# HTML Security Checklist

Use this checklist for security-sensitive HTML boundaries.

- Escape user-generated content before it reaches HTML.
- Never trust client-side validation as protection.
- External `target="_blank"` links use `rel="noopener noreferrer"`.
- Iframes use `title`.
- Risky iframes are sandboxed with the smallest useful permission set.
- Third-party scripts are reviewed before deployment.
- Inline event handlers are avoided in production code.
- Forms submit over HTTPS.
- Sensitive actions use backend protection such as CSRF checks.
- File uploads are validated on the server.
- Error messages do not leak internal details.
- Content Security Policy is considered for production apps.