Unify OpenCode and Codex starter kits
- Add .shared/prompts/ with tool-neutral prompts - Add .opencode/config/project.md, rules/, skills/ from opencode-kit - Add .codex/config/project.md from codex-kit - Copy .shared/prompts/ to both .opencode/prompts/ and .codex/prompts/ - Add features/INDEX.md and features/README.md - Update README with unified structure The two original starter kits are now redundant.
This commit is contained in:
@@ -1,22 +1,56 @@
|
||||
# Security Rules
|
||||
|
||||
## Generell
|
||||
Security rules for PHP projects.
|
||||
|
||||
- Nie Secrets in Git
|
||||
- Input immer validieren
|
||||
- Output immer escapen
|
||||
## Secrets
|
||||
|
||||
## XSS
|
||||
- NEVER commit secrets, API keys, or credentials
|
||||
- Use `.env` for local development (gitignored via `.gitignore`)
|
||||
- Use environment variables for production
|
||||
- Never log sensitive data (passwords, tokens, personal data)
|
||||
- Generate secrets with: `openssl_random_pseudo_bytes(32)` or `php -r "echo bin2hex(random_bytes(32));"`
|
||||
|
||||
- HTML specialchars() für User-Input in HTML
|
||||
- Content-Security-Policy Header setzen
|
||||
## Input Validation
|
||||
|
||||
## CSRF
|
||||
- Validate ALL user input in PHP (never trust `$_GET`, `$_POST`, etc.)
|
||||
- Use Respect Validation or Laravel Validator
|
||||
- Sanitize data before database insertion
|
||||
- Use parameterized queries exclusively (PDO, mysqli with placeholders)
|
||||
|
||||
- CSRF Token bei Forms
|
||||
- SameSite=Cookie
|
||||
## Output
|
||||
|
||||
## SQL Injection
|
||||
- Escape output with `htmlspecialchars($str, ENT_QUOTES, 'UTF-8')` or framework equivalent
|
||||
- Set Content-Type headers: `Content-Type: text/html; charset=UTF-8`
|
||||
- Use CSRF tokens on all state-changing forms
|
||||
|
||||
- Prepared Statements immer nutzen
|
||||
- Nie User-Input direkt in SQL
|
||||
## Authentication
|
||||
|
||||
- Hash passwords with `password_hash()` (bcrypt/argon2) — NEVER MD5 or SHA1
|
||||
- Use `password_verify()` for comparison
|
||||
- Implement proper session handling: `session_regenerate_id(true)` on login
|
||||
- Set secure cookie flags: `session_set_cookie_params(['httponly' => true, 'secure' => true])`
|
||||
|
||||
## Security Headers
|
||||
|
||||
For production, set these headers:
|
||||
|
||||
```
|
||||
X-Content-Type-Options: nosniff
|
||||
X-Frame-Options: DENY
|
||||
X-XSS-Protection: 1; mode=block
|
||||
Referrer-Policy: strict-origin-when-cross-origin
|
||||
Content-Security-Policy: default-src 'self'
|
||||
```
|
||||
|
||||
## File Uploads
|
||||
|
||||
- Never trust the filename — generate a new one
|
||||
- Store files outside web root
|
||||
- Validate MIME type server-side (not just by extension)
|
||||
- Set file size limits
|
||||
|
||||
## Dependencies
|
||||
|
||||
- Keep Composer dependencies up to date: `composer outdated`
|
||||
- Run `composer audit` regularly
|
||||
- Update known vulnerable packages immediately
|
||||
Reference in New Issue
Block a user