- Add .shared/prompts/ with tool-neutral prompts - Add .opencode/config/project.md, rules/, skills/ from opencode-kit - Add .codex/config/project.md from codex-kit - Copy .shared/prompts/ to both .opencode/prompts/ and .codex/prompts/ - Add features/INDEX.md and features/README.md - Update README with unified structure The two original starter kits are now redundant.
1.7 KiB
1.7 KiB
Security Rules
Security rules for PHP projects.
Secrets
- NEVER commit secrets, API keys, or credentials
- Use
.envfor local development (gitignored via.gitignore) - Use environment variables for production
- Never log sensitive data (passwords, tokens, personal data)
- Generate secrets with:
openssl_random_pseudo_bytes(32)orphp -r "echo bin2hex(random_bytes(32));"
Input Validation
- Validate ALL user input in PHP (never trust
$_GET,$_POST, etc.) - Use Respect Validation or Laravel Validator
- Sanitize data before database insertion
- Use parameterized queries exclusively (PDO, mysqli with placeholders)
Output
- Escape output with
htmlspecialchars($str, ENT_QUOTES, 'UTF-8')or framework equivalent - Set Content-Type headers:
Content-Type: text/html; charset=UTF-8 - Use CSRF tokens on all state-changing forms
Authentication
- Hash passwords with
password_hash()(bcrypt/argon2) — NEVER MD5 or SHA1 - Use
password_verify()for comparison - Implement proper session handling:
session_regenerate_id(true)on login - Set secure cookie flags:
session_set_cookie_params(['httponly' => true, 'secure' => true])
Security Headers
For production, set these headers:
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'
File Uploads
- Never trust the filename — generate a new one
- Store files outside web root
- Validate MIME type server-side (not just by extension)
- Set file size limits
Dependencies
- Keep Composer dependencies up to date:
composer outdated - Run
composer auditregularly - Update known vulnerable packages immediately