Files
skeleton/.opencode/rules/security.md
Worker Skeletton 5c9b4333da Unify OpenCode and Codex starter kits
- Add .shared/prompts/ with tool-neutral prompts
- Add .opencode/config/project.md, rules/, skills/ from opencode-kit
- Add .codex/config/project.md from codex-kit
- Copy .shared/prompts/ to both .opencode/prompts/ and .codex/prompts/
- Add features/INDEX.md and features/README.md
- Update README with unified structure

The two original starter kits are now redundant.
2026-05-25 14:11:00 +02:00

1.7 KiB

Security Rules

Security rules for PHP projects.

Secrets

  • NEVER commit secrets, API keys, or credentials
  • Use .env for local development (gitignored via .gitignore)
  • Use environment variables for production
  • Never log sensitive data (passwords, tokens, personal data)
  • Generate secrets with: openssl_random_pseudo_bytes(32) or php -r "echo bin2hex(random_bytes(32));"

Input Validation

  • Validate ALL user input in PHP (never trust $_GET, $_POST, etc.)
  • Use Respect Validation or Laravel Validator
  • Sanitize data before database insertion
  • Use parameterized queries exclusively (PDO, mysqli with placeholders)

Output

  • Escape output with htmlspecialchars($str, ENT_QUOTES, 'UTF-8') or framework equivalent
  • Set Content-Type headers: Content-Type: text/html; charset=UTF-8
  • Use CSRF tokens on all state-changing forms

Authentication

  • Hash passwords with password_hash() (bcrypt/argon2) — NEVER MD5 or SHA1
  • Use password_verify() for comparison
  • Implement proper session handling: session_regenerate_id(true) on login
  • Set secure cookie flags: session_set_cookie_params(['httponly' => true, 'secure' => true])

Security Headers

For production, set these headers:

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'

File Uploads

  • Never trust the filename — generate a new one
  • Store files outside web root
  • Validate MIME type server-side (not just by extension)
  • Set file size limits

Dependencies

  • Keep Composer dependencies up to date: composer outdated
  • Run composer audit regularly
  • Update known vulnerable packages immediately