Files
skeleton/.opencode/rules/security.md
Worker Skeletton 5c9b4333da Unify OpenCode and Codex starter kits
- Add .shared/prompts/ with tool-neutral prompts
- Add .opencode/config/project.md, rules/, skills/ from opencode-kit
- Add .codex/config/project.md from codex-kit
- Copy .shared/prompts/ to both .opencode/prompts/ and .codex/prompts/
- Add features/INDEX.md and features/README.md
- Update README with unified structure

The two original starter kits are now redundant.
2026-05-25 14:11:00 +02:00

56 lines
1.7 KiB
Markdown

# Security Rules
Security rules for PHP projects.
## Secrets
- NEVER commit secrets, API keys, or credentials
- Use `.env` for local development (gitignored via `.gitignore`)
- Use environment variables for production
- Never log sensitive data (passwords, tokens, personal data)
- Generate secrets with: `openssl_random_pseudo_bytes(32)` or `php -r "echo bin2hex(random_bytes(32));"`
## Input Validation
- Validate ALL user input in PHP (never trust `$_GET`, `$_POST`, etc.)
- Use Respect Validation or Laravel Validator
- Sanitize data before database insertion
- Use parameterized queries exclusively (PDO, mysqli with placeholders)
## Output
- Escape output with `htmlspecialchars($str, ENT_QUOTES, 'UTF-8')` or framework equivalent
- Set Content-Type headers: `Content-Type: text/html; charset=UTF-8`
- Use CSRF tokens on all state-changing forms
## Authentication
- Hash passwords with `password_hash()` (bcrypt/argon2) — NEVER MD5 or SHA1
- Use `password_verify()` for comparison
- Implement proper session handling: `session_regenerate_id(true)` on login
- Set secure cookie flags: `session_set_cookie_params(['httponly' => true, 'secure' => true])`
## Security Headers
For production, set these headers:
```
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'
```
## File Uploads
- Never trust the filename — generate a new one
- Store files outside web root
- Validate MIME type server-side (not just by extension)
- Set file size limits
## Dependencies
- Keep Composer dependencies up to date: `composer outdated`
- Run `composer audit` regularly
- Update known vulnerable packages immediately