# Security Sign-Off Policy

## Scope
This repository currently contains template and UI shell code. These rules apply to all PHP, JS, CSS, and configuration changes.

## How To Use This File
1. Use this as the security acceptance checklist for each PR and release.
2. `Must` items are mandatory.
3. `Should` items are expected unless an exception is explicitly approved.
4. `Could` items are optional hardening improvements.

## Must (Security Gate)

### Input, Routing, And Output Safety
- [ ] Request input is validated and sanitized.
- [ ] Route resolution and file access use explicit allow-lists.
- [ ] Dynamic output is escaped for its HTML context.
- [ ] User-controlled input is never used for dynamic include paths.

### Error And Data Exposure Controls
- [ ] Stack traces and sensitive internals are not exposed to end users.
- [ ] Production runtime does not display PHP errors to clients.
- [ ] Error and exception logging is enabled server-side.
- [ ] Browser-visible responses do not leak secrets, credentials, or private paths.

### Session And CSRF Controls
- [ ] CSRF validation is enforced server-side for state-changing operations.
- [ ] Session lifecycle is explicit when CSRF/session logic is used.
- [ ] Authenticated deployments use secure cookie settings.

### Dependency And Frontend Safety
- [ ] Third-party CDN assets are version-pinned.
- [ ] Integrity and crossorigin are set where supported.
- [ ] Dynamically injected HTML is not built from untrusted raw content.

### Security Test Minimum
- [ ] Route traversal attempts fail safely.
- [ ] Unknown routes do not expose filesystem details.
- [ ] AJAX error responses remain safe and sanitized.
- [ ] Common XSS payloads do not execute.

## Should (Expected Security Practices)
- [ ] Inline event handlers are minimized for sensitive actions.
- [ ] Security-related decisions are documented in PR notes.
- [ ] Dependency updates include a brief risk review.
- [ ] Threat scenarios for new features are listed during review.

## Could (Optional Hardening)
- [ ] Add CSP headers for stricter script/style controls.
- [ ] Add security headers baseline (HSTS, X-Frame-Options, Referrer-Policy).
- [ ] Add automated dependency vulnerability scanning.
- [ ] Add periodic lightweight security review cadence.

## Vulnerability Reporting
1. Do not open public issues containing exploit details.
2. Report privately to maintainers with impact and reproduction steps.
3. Allow maintainers time to triage and remediate before disclosure.

## Sign-Off Record
- [ ] Must items complete.
- [ ] Any Should exceptions documented and approved.
- [ ] Residual risk accepted by reviewer/maintainer.
- [ ] Testing evidence linked from [docs/TESTING_RULES.md](docs/TESTING_RULES.md).