# Security Policy And Rules

## Supported Scope
This repository currently contains template and UI shell code. Security rules apply to all PHP, JS, CSS, and configuration changes.

## Reporting A Security Issue
1. Do not open public issue with exploit details.
2. Report privately to project maintainers.
3. Include reproduction steps, impact, and affected files.
4. Allow maintainers time to triage before disclosure.

## Secure Coding Rules
1. Validate and sanitize all request inputs.
2. Use allow-lists for route resolution and file access.
3. Escape all dynamic output in HTML context.
4. Avoid dynamic file includes from user-controlled values.
5. Do not trust client-provided CSRF tokens without server-side validation.
6. Do not expose stack traces or sensitive error details to users.
7. Avoid inline event handlers for sensitive actions when possible.
8. Never commit secrets, tokens, credentials, or private keys.

## Frontend Security Rules
1. Keep third-party CDN dependencies version-pinned.
2. Use integrity and crossorigin where possible.
3. Prefer loading only the assets needed by the page.
4. Treat dynamically injected HTML carefully.
5. Avoid unsafe HTML insertion from untrusted data.

## PHP Runtime Rules
1. Keep `display_errors` disabled in production.
2. Enable centralized server-side logging for errors/exceptions.
3. Start and manage sessions explicitly if CSRF/session is used.
4. Use secure cookie settings for authenticated deployments.

## Security Testing Minimum
1. Route traversal attempt must fail safely.
2. Unknown routes must not reveal filesystem paths.
3. AJAX failures must return safe error content.
4. Common XSS payloads should not execute in rendered content.
5. Browser console should not show leaked secrets.

## Release Security Gate
1. Dependency links and versions reviewed.
2. Input/output handling reviewed for changed files.
3. Error handling reviewed for info disclosure risk.
4. Security checklist in `docs/TESTING_RULES.md` completed.