Security Hardening rules

Configure http.Server with tls.Config{MinVersion: tls.VersionTLS12} and set cookies with Secure, HttpOnly, SameSite.

Handlers must return non-2xx status codes for error outcomes and include a minimal error body that does not leak sensitive details.

Without a timeout, regex processing on untrusted input can be exploited for Denial-of-Service (DoS) attacks. Always define a timeout when using regex.

Never hardcode credentials (API keys, tokens, private keys) in source code, configs, or tests. If a string looks like a credential based on context (variable name, header usage, auth flows), treat it as a secret even if it is not high-entropy. Move it to env/secret manager, rotate the credential if it may have leaked, and remove it from git history if necessary.

For web/mobile payment forms, send PAN and CVV directly to the PCI-compliant gateway to obtain a single-use token; submit only the token to your backend. Validate that backend APIs reject requests containing PAN/SAD. (PCI DSS scoping & SAQ A)

For security tokens (session IDs, CSRF tokens, password‐reset links), use cryptographically secure random functions like random_bytes() or openssl_random_pseudo_bytes(), instead of predictable functions like rand() or mt_rand().

Do not build SQL queries by directly concatenating untrusted data. Instead, use prepared statements with parameters (for example, using PDO or MySQLi) to prevent SQL Injection.

Prefer app/api route handlers over legacy pages/api. Return NextResponse.json, validate input, and handle allowed HTTP methods explicitly.

Do not use weak or generic hash algorithms (like MD5 or SHA1) for storing passwords. Use built‐in functions like password_hash() (with BCRYPT or Argon2) and password_verify(), which handle salting and secure algorithms automatically.

Prefer TryParse-style APIs for user/IO input instead of Parse, and validate culture/format where applicable.

Never trust data received from users, forms or requests. Always validate the expected format (e.g., numbers, emails) and sanitize/remove unexpected characters or content using appropriate techniques (filter_var, filter_input, etc.).

After decoding, assert required keys and types before use; reject unexpected shapes.

If a PR changes redirect/header configuration (e.g., middleware redirects, CDN headers, security headers), validate it against the active edge rules to avoid conflicts. - If a Cloudflare MCP is available: fetch active rules and detect potential redirect loops, duplicate rules, or header conflicts. - Otherwise: require the author to link the relevant Cloudflare rules/screenshots in the PR description.

Validate and sanitize all request bodies and search params on the server using a schema (e.g., zod). Reject invalid payloads with proper status.

For any handler that reads or writes ePHI, write an append-only audit record with user id, patient id, action (READ_PHI/WRITE_PHI), purpose-of-use, timestamp, and request id. Prevent deletion or mutation of audit entries.

Ensure that JSON data is validated before parsing. Parsing untrusted JSON without validation can result in runtime errors or vulnerabilities.

Ensure that console statements are removed in production code. Console logs can expose sensitive data and impact performance.

Do not include internal identifiers (DB IDs, service IDs, tokens) in client-facing errors. Log them internally; return generic messages externally.

Identify `rescue Exception` statements and suggest replacing them with `rescue StandardError` to avoid catching critical system exceptions.

Ensure that CORS policies are properly defined. Weak or missing CORS policies may allow unauthorized domains to access your resources, leading to security vulnerabilities.

Configure CookiePolicyOptions to enforce SameSite=Lax or Strict, HttpOnly, and Secure for all auth cookies.

When configuring processors outside the EEA, annotate the config with transfer_mechanism (e.g., SCCs) and link to the signed SCC document; prevent enablement without this metadata. (GDPR Art. 46)

Set APP_DEBUG=false and hide stack traces; send errors to a centralized logger with trace_id instead.

Check for missing or incorrect autocomplete attributes. Proper use of autocomplete improves accessibility and usability, especially for screen readers.