Security Hardening rules

Always escape or sanitize user‐provided content before displaying it in HTML. Use functions like htmlspecialchars() to convert special characters into HTML entities.

Enable config.force_ssl = true; add filter_parameters to redact PII and secrets; use secure_same_site for cookies.

Any code path that reads, decrypts, or exchanges PAN tokens must require an explicit authorization policy (e.g., role "pci:read_token") and log access without PAN. Deny by default. (PCI DSS 4.0 Req. 7 & 10)

Set session idle timeout ≤ 15 minutes and absolute timeout ≤ 12 hours; cookies must be Secure, HttpOnly, and SameSite=Lax or Strict; revoke sessions on password change.

Use a builder stage for toolchains/dev deps and a minimal runtime stage that contains only runtime artifacts.

Authorize every request by role and resource scope. Policies must default-deny and require explicit allow; privileged roles (admin, auditor) must be rare and reviewed quarterly.

Before sending PII to processors, verify the destination region is approved (e.g., BR/EEA with SCC/DPA). Block requests that include personal data and target non-approved regions.

Access tokens, HMAC salts, and KMS keys for PHI flows must come from a secret manager or encrypted credentials store; forbid committing secrets or .env files to the repo.

Keep middleware fast and side-effect free (no DB writes). Narrow the matcher and skip static assets. Use Route Handlers for heavy logic.

Configure Spring Boot to require client certificates for internal APIs (clientAuth=REQUIRE) and restrict CAs; log peer certificate subject in audit events.

Read secrets (process.env.*) only in Server Components, Route Handlers, or server actions. Client Components must use ONLY NEXT_PUBLIC_* variables.

Use immutable image digests (repo@sha256:...) instead of mutable tags for production workloads.

Provide an authenticated endpoint that assembles a user's data into a structured JSON export and returns a short-lived signed URL (≤24h). Include integration tests in the PR. (GDPR Art. 20)

Check if memory allocation sizes are derived from untrusted input. Attackers may exploit this to crash the program or consume excessive resources. Recommend validating and limiting allocation sizes.

Reflection methods that process untrusted input can be exploited for remote code execution. Always validate and sanitize external input before using reflection.

Ensure that server-side requests are properly validated to prevent SSRF attacks.

Write ePHI backups to storage with server-side encryption (SSE-KMS) and least-privilege access; disallow public ACLs and cross-account access without a BAA. Record the KMS key id in metadata.

Implement anti‐CSRF tokens in forms performing sensitive actions (like state changes or deletions). Generate a unique token per session or request and validate it on the server before processing the form action.

Use headers() and cookies() in Server Components, Route Handlers, or server actions; never in Client Components.

Logging/metrics must redact or hash personal data; attach lawful_basis and purpose to diagnostic context; forbid raw PII in logs. (GDPR Art. 5(1)(c) data minimization)

CI must run fmt/validate, produce and upload a plan artifact (e.g., terraform plan -out plan.bin), run policy-as-code (e.g., tfsec/checkov/conftest), and gate apply on manual approval for prod.

Use app.UseHsts(); app.UseHttpsRedirection(); store DataProtection keys in Azure Key Vault or KMS with rotation.

Endpoints under /admin or privileged routes that can view or export ePHI must enforce multi-factor authentication and recent re-auth (e.g., within 15 minutes).

Actions like role changes, key rotations, and exports of PII require MFA re-authentication within the last 5 minutes; record mfa_verified_at in the audit log.