SOC 2 Essentials rules

Use app.UseHsts(); app.UseHttpsRedirection(); store DataProtection keys in Azure Key Vault or KMS with rotation.

Actions like role changes, key rotations, and exports of PII require MFA re-authentication within the last 5 minutes; record mfa_verified_at in the audit log.

Configure http.Server with tls.Config{MinVersion: tls.VersionTLS12} and set cookies with Secure, HttpOnly, SameSite.

Attach a trace_id (e.g., from request header or generated UUID) and emit structured JSON logs for login, role change, and data export routes.

Populate MDC with userId and traceId; include them in log pattern; log security events as JSON.

Configure CookiePolicyOptions to enforce SameSite=Lax or Strict, HttpOnly, and Secure for all auth cookies.

Run a scheduled job that deletes telemetry after 30 days and anonymizes PII after the retention window; log deletions with data_class and count.

Establish maintenance windows and freeze periods; emergency overrides require incident_id, approver, and post-facto review logged in the audit trail.

Implement a tracing layer that scans fields and redacts patterns (JWT, API keys, emails) before output.

Set APP_DEBUG=false and hide stack traces; send errors to a centralized logger with trace_id instead.

Use $dontFlash in app/Http/Middleware/TrimStrings.php or logging processors to redact 'password', 'token', 'ssn', and emails.

All production deployments must reference a change ticket ID, peer approval, and linked rollout plan; write the change_id to the audit log on deploy.

Intercept Authorization headers and redact bearer/JWT values; attach requestId to every log line.

Configure Monolog to add a processor that redacts emails, tokens, and SSNs before writing logs; include request_id.

Use context.WithTimeout for HTTP and DB calls; log request deadlines and results; treat timeouts as audit-worthy events.

Wrap logger to filter emails and tokens using regex before logging; include trace_id in every entry.

Where relevant, include links to RFCs, regulatory guidance, or benchmarks in the ADR (e.g., RFC 9110 for HTTP, PCI DSS sections), under a 'References' section.

Add middleware to set HSTS, X-Content-Type-Options, and secure cookies; log JSON with actor and trace_id for auth and admin routes.

On Sev1/Sev2 incidents, capture timeline, root cause, remediation, and owner in a postmortem within 5 business days; link incident_id in all related commits and changes.

Emit JSON audit events via ActiveSupport::Notifications with user_id, action, resource_id, and request_id.

Log security events via ILogger with properties {Action, UserId, ResourceId, Result, TraceId}; configure sink to JSON and send to SIEM.

Expose explicit API versions (e.g., v1, v2). Breaking changes require a deprecation window and a CHANGELOG entry; log api_version in requests for traceability.