rules/security.md

---
paths:
  - "src/api/**"
  - "src/auth/**"
  - "src/middleware/**"
  - "**/routes/**"
  - "**/controllers/**"
---

# Security

- Validate all user input at the system boundary. Never trust request parameters.
- Use parameterized queries — never concatenate user input into SQL or shell commands.
- Sanitize output to prevent XSS. Use framework-provided escaping.
- Authentication tokens must be short-lived. Store refresh tokens server-side only.
- Never log secrets, tokens, passwords, or PII.
- Use constant-time comparison for secrets and tokens.
- Set appropriate CORS, CSP, and security headers.
- Rate-limit authentication endpoints.
Add dotclaude configuration files 2026-03-26 17:16:27 -07:00			`---`
			`paths:`
			`- "src/api/**"`
			`- "src/auth/**"`
			`- "src/middleware/**"`
			`- "/routes/"`
			`- "/controllers/"`
			`---`

			`# Security`

			`- Validate all user input at the system boundary. Never trust request parameters.`
			`- Use parameterized queries — never concatenate user input into SQL or shell commands.`
			`- Sanitize output to prevent XSS. Use framework-provided escaping.`
			`- Authentication tokens must be short-lived. Store refresh tokens server-side only.`
			`- Never log secrets, tokens, passwords, or PII.`
			`- Use constant-time comparison for secrets and tokens.`
			`- Set appropriate CORS, CSP, and security headers.`
			`- Rate-limit authentication endpoints.`