Audit all logging and error handling. Check for: console.log statements exposing PII or tokens in production, unhandled promise rejections leaking stack traces to the client, missing global error boundaries, and lack of structured logging for security events (failed logins, rate limit hits, unauthorized access attempts).