# Security Rules Security rules for PHP projects. ## Secrets - NEVER commit secrets, API keys, or credentials - Use `.env` for local development (gitignored via `.gitignore`) - Use environment variables for production - Never log sensitive data (passwords, tokens, personal data) - Generate secrets with: `openssl_random_pseudo_bytes(32)` or `php -r "echo bin2hex(random_bytes(32));"` ## Input Validation - Validate ALL user input in PHP (never trust `$_GET`, `$_POST`, etc.) - Use Respect Validation or Laravel Validator - Sanitize data before database insertion - Use parameterized queries exclusively (PDO, mysqli with placeholders) ## Output - Escape output with `htmlspecialchars($str, ENT_QUOTES, 'UTF-8')` or framework equivalent - Set Content-Type headers: `Content-Type: text/html; charset=UTF-8` - Use CSRF tokens on all state-changing forms ## Authentication - Hash passwords with `password_hash()` (bcrypt/argon2) — NEVER MD5 or SHA1 - Use `password_verify()` for comparison - Implement proper session handling: `session_regenerate_id(true)` on login - Set secure cookie flags: `session_set_cookie_params(['httponly' => true, 'secure' => true])` ## Security Headers For production, set these headers: ``` X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Referrer-Policy: strict-origin-when-cross-origin Content-Security-Policy: default-src 'self' ``` ## File Uploads - Never trust the filename — generate a new one - Store files outside web root - Validate MIME type server-side (not just by extension) - Set file size limits ## Dependencies - Keep Composer dependencies up to date: `composer outdated` - Run `composer audit` regularly - Update known vulnerable packages immediately