Swift Security

This file extends the common security rule with Swift specific content.

Secret Management

• Use Keychain Services for sensitive data (tokens, passwords, keys) -- never UserDefaults
• Use environment variables or .xcconfig files for build-time secrets
• Never hardcode secrets in source -- decompilation tools extract them trivially

let apiKey = ProcessInfo.processInfo.environment["API_KEY"]
guard let apiKey, !apiKey.isEmpty else {
    fatalError("API_KEY not configured")
}

Transport Security

• App Transport Security (ATS) is enforced by default -- do not disable it
• Use certificate pinning for critical endpoints
• Validate all server certificates

Input Validation

• Sanitize all user input before display to prevent injection
• Use URL(string:) with validation rather than force-unwrapping
• Validate data from external sources (APIs, deep links, pasteboard) before processing