F# Security

Security practices for F# web and data applications

Security

Use in Builder All F# Options

Details

Language / Topic

Rules

F# Security · balanced balanced

- Use `Microsoft.Data.SqlClient` parameterized queries or `Dapper` with typed parameters — never concatenate user input into SQL strings.

- Store secrets in environment variables or `IConfiguration` — never hardcode connection strings or API keys in F# source files.

- Use `System.Security.Cryptography.RandomNumberGenerator` for secure random bytes — never use `System.Random` for security-sensitive values.

- Validate all external input with domain type constructors that enforce invariants at the boundary — use `Result` to communicate validation failures.