# Security Notes

This repository now ships the vanilla PHP implementation as the primary application. The points below describe the current baseline security posture for that codebase.

## Current Controls

- Direct access to sensitive paths is blocked in [public/.htaccess](public/.htaccess).
- Session cookies are configured with `HttpOnly` and `SameSite=Lax` in [src/bootstrap.php](src/bootstrap.php).
- Security headers are emitted in [src/bootstrap.php](src/bootstrap.php):
  - `X-Frame-Options: SAMEORIGIN`
  - `X-Content-Type-Options: nosniff`
  - `Referrer-Policy: strict-origin-when-cross-origin`
  - a restrictive baseline `Content-Security-Policy`
- CSRF handling exists in `src/Core/Csrf.php`.
- API and auth throttling exist in `src/Core/RateLimiter.php`.
- Passwords are stored with `password_hash()` and verified with `password_verify()`.
- The installer writes `APP_INSTALLED=true` to `.env`, and the public entrypoint redirects to `/install/` only while the app is not installed.

## Deployment Checklist

- Run behind HTTPS in production.
- Keep `.env` outside public exposure and do not commit real secrets.
- Restrict filesystem write permissions to what the app actually needs, especially `public/uploads/`.
- Remove or restrict installer access after the first successful setup if your hosting model allows it.
- Use strong database credentials and a dedicated MySQL user.
- Review the CSP if you add third-party assets or external embeds.

## Operational Note

This file intentionally replaces the old Laravel-specific security guidance so the branch documentation matches the framework-free architecture now present at the repository root.