Security Hardening rules

Add a 'Security & Privacy' section in ADRs addressing threat model impacts, secrets handling, data retention, and PII processing; link to relevant runbooks and DPA if applicable.

Provide a single permission check API (e.g., can(user, action, resource)) and reuse it across layers.

When accepting a slice or map from external snippet or returning one, consider copying it. This prevents unintentional modifications to the original data. For example, don't store a slice argument directly if the caller might modify it later; instead, make a copy for internal use.

If a PR introduces workloads in a namespace that lacks a default-deny NetworkPolicy, add one plus explicit allow rules.

All bulk exports of PII require approval, step-up MFA, rate limits, and watermarking of files with requestor and timestamp; record export_id in the audit log.

Require TOTP or WebAuthn MFA for admin areas; verify mfa_verified_at timestamp before sensitive routes.

Avoid using directives or features that bypass Vue's built-in HTML escaping mechanisms, such as the `v-html` directive, unless the content is known to be safe or has been properly sanitized.

Registry configuration (e.g., .npmrc, .yarnrc.yml) must live at the monorepo root. Forbid .npmrc files inside workspace packages overriding registry auth or URL.

Configure your application not to display detailed error messages (stack traces, PHP warnings) to end users in production. Instead, log errors for developers and show a generic message to users.

Avoid passing untrusted values to include/require statements. If you need to include files based on external input, strictly validate that input (for example, using a whitelist of valid filenames).

Never write Protected Health Information (PHI/ePHI) to logs. Redact fields like name, SSN, MRN, DOB, address, diagnoses, and lab results; store only non-identifying metadata and a stable request trace id. If logging is required for troubleshooting, replace values with consistent tokens and record access separately in the audit log.

Ensure that CSRF protection is enforced. Disabling CSRF protection allows malicious sites to execute unauthorized actions on behalf of authenticated users.

When sending session or other sensitive cookies, always enable the HttpOnly and Secure flags (and consider SameSite). HttpOnly prevents JavaScript access, and Secure ensures the cookie is only sent over HTTPS.

Use AES-GCM with keys from KMS to encrypt sensitive columns (e.g., SSN) before saving; store nonce and auth tag; never rely solely on disk encryption.

Encrypt sensitive columns (e.g., email, phone) with managed keys; ensure DB connection enforces TLS. Store only ciphertext; compare via deterministic token/hashes when needed. (GDPR Art. 32)

If PAN must be handled transiently, encrypt in memory with AES-256-GCM using a KMS/HSM-provided key, store only ciphertext or tokens, and zeroize plaintext buffers immediately. Rotate keys per policy. (PCI DSS 4.0 Req. 3)

Allowing anonymous LDAP connections exposes directory data to unauthorized users. Always require authentication.

Use helmet to set HSTS and configure cookies with Secure, HttpOnly, and SameSite. Reject HTTP by redirecting to HTTPS.

Install HSTS in Ktor, require HTTPS redirects, and emit structured audit events for role changes with callId/traceId.

Force HTTPS via middleware, set HSTS, and configure session cookies with secure=true, http_only=true, same_site=lax or strict in config/session.php.

Use Spring Security to require HTTPS, enable HSTS, set session fixation protection, and configure SameSite, Secure, HttpOnly cookies.

Grant production access just-in-time via approved requests with scoped durations; break-glass access must trigger alerts and expanded audit logging.

Applications serving ePHI must require HTTPS, disable insecure ciphers, and enable HSTS with preload and includeSubDomains. Reject cleartext HTTP requests.

All outbound connections that may carry CHD/PAN tokens must enforce TLS >= 1.2, validate hostname/chain, and optionally pin gateway SPKI. Disable insecure ciphers/versions. (PCI DSS 4.0 Req. 4)