mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-03-31 06:03:29 +08:00
113119dc6f
* feat: add laravel skills * docs: fix laravel patterns example * docs: add laravel api example * docs: update readme and configure-ecc for laravel skills * docs: reference laravel skills in php rules * docs: add php import guidance * docs: expand laravel skills with more pattern, security, testing, and verification examples * docs: add laravel routing, security, testing, and sail guidance * docs: fix laravel example issues from code review * docs: fix laravel examples and skills per review findings * docs: resolve remaining laravel review fixes * docs: refine laravel patterns and tdd guidance * docs: clarify laravel queue healthcheck guidance * docs: fix laravel examples and test guidance * docs: correct laravel tdd and api example details * docs: align laravel form request auth semantics * docs: fix laravel coverage, imports, and scope guidance * docs: align laravel tdd and security examples with guidance * docs: tighten laravel form request authorization examples * docs: fix laravel tdd and queue job examples * docs: harden laravel rate limiting and policy examples * docs: fix laravel pagination, validation, and verification examples * docs: align laravel controller response with envelope * docs: strengthen laravel password validation example * docs: address feedback regarding examples * docs: improve guidance and examples for pest usage * docs: clarify laravel upload storage and authorization notes * docs: tighten up examples
38 lines
1.3 KiB
Markdown
38 lines
1.3 KiB
Markdown
---
|
|
paths:
|
|
- "**/*.php"
|
|
- "**/composer.lock"
|
|
- "**/composer.json"
|
|
---
|
|
# PHP Security
|
|
|
|
> This file extends [common/security.md](../common/security.md) with PHP specific content.
|
|
|
|
## Input and Output
|
|
|
|
- Validate request input at the framework boundary (`FormRequest`, Symfony Validator, or explicit DTO validation).
|
|
- Escape output in templates by default; treat raw HTML rendering as an exception that must be justified.
|
|
- Never trust query params, cookies, headers, or uploaded file metadata without validation.
|
|
|
|
## Database Safety
|
|
|
|
- Use prepared statements (`PDO`, Doctrine, Eloquent query builder) for all dynamic queries.
|
|
- Avoid string-building SQL in controllers/views.
|
|
- Scope ORM mass-assignment carefully and whitelist writable fields.
|
|
|
|
## Secrets and Dependencies
|
|
|
|
- Load secrets from environment variables or a secret manager, never from committed config files.
|
|
- Run `composer audit` in CI and review new package maintainer trust before adding dependencies.
|
|
- Pin major versions deliberately and remove abandoned packages quickly.
|
|
|
|
## Auth and Session Safety
|
|
|
|
- Use `password_hash()` / `password_verify()` for password storage.
|
|
- Regenerate session identifiers after authentication and privilege changes.
|
|
- Enforce CSRF protection on state-changing web requests.
|
|
|
|
## Reference
|
|
|
|
See skill: `laravel-security` for Laravel-specific security guidance.
|