- Add .shared/prompts/ with tool-neutral prompts - Add .opencode/config/project.md, rules/, skills/ from opencode-kit - Add .codex/config/project.md from codex-kit - Copy .shared/prompts/ to both .opencode/prompts/ and .codex/prompts/ - Add features/INDEX.md and features/README.md - Update README with unified structure The two original starter kits are now redundant.
56 lines
1.7 KiB
Markdown
56 lines
1.7 KiB
Markdown
# Security Rules
|
|
|
|
Security rules for PHP projects.
|
|
|
|
## Secrets
|
|
|
|
- NEVER commit secrets, API keys, or credentials
|
|
- Use `.env` for local development (gitignored via `.gitignore`)
|
|
- Use environment variables for production
|
|
- Never log sensitive data (passwords, tokens, personal data)
|
|
- Generate secrets with: `openssl_random_pseudo_bytes(32)` or `php -r "echo bin2hex(random_bytes(32));"`
|
|
|
|
## Input Validation
|
|
|
|
- Validate ALL user input in PHP (never trust `$_GET`, `$_POST`, etc.)
|
|
- Use Respect Validation or Laravel Validator
|
|
- Sanitize data before database insertion
|
|
- Use parameterized queries exclusively (PDO, mysqli with placeholders)
|
|
|
|
## Output
|
|
|
|
- Escape output with `htmlspecialchars($str, ENT_QUOTES, 'UTF-8')` or framework equivalent
|
|
- Set Content-Type headers: `Content-Type: text/html; charset=UTF-8`
|
|
- Use CSRF tokens on all state-changing forms
|
|
|
|
## Authentication
|
|
|
|
- Hash passwords with `password_hash()` (bcrypt/argon2) — NEVER MD5 or SHA1
|
|
- Use `password_verify()` for comparison
|
|
- Implement proper session handling: `session_regenerate_id(true)` on login
|
|
- Set secure cookie flags: `session_set_cookie_params(['httponly' => true, 'secure' => true])`
|
|
|
|
## Security Headers
|
|
|
|
For production, set these headers:
|
|
|
|
```
|
|
X-Content-Type-Options: nosniff
|
|
X-Frame-Options: DENY
|
|
X-XSS-Protection: 1; mode=block
|
|
Referrer-Policy: strict-origin-when-cross-origin
|
|
Content-Security-Policy: default-src 'self'
|
|
```
|
|
|
|
## File Uploads
|
|
|
|
- Never trust the filename — generate a new one
|
|
- Store files outside web root
|
|
- Validate MIME type server-side (not just by extension)
|
|
- Set file size limits
|
|
|
|
## Dependencies
|
|
|
|
- Keep Composer dependencies up to date: `composer outdated`
|
|
- Run `composer audit` regularly
|
|
- Update known vulnerable packages immediately |