# security-basics

Security baselines: never commit secrets, parameterised queries only, validate at trust boundaries, never log PII.

```bash
npx rulepack add security-basics
```

## What it covers

- Secrets: never commit them, keep `.env*` out of git, inject production secrets via the platform (never bake `.env` into images)
- SQL: parameterised queries only — no string concatenation with user input, escape LIKE wildcards from user input
- Input validation at the trust boundary (HTTP / IPC / file read) with a schema (zod / pydantic / serde)
- Authentication: hash passwords with argon2id or scrypt (never SHA256/MD5), set `httpOnly` / `secure` / `sameSite` on session cookies, never log bearer tokens
- Logging & dependencies: no PII or credentials in logs, structured JSON output, and a clean `npm audit` / `cargo audit` / `pip-audit` with Renovate/Dependabot enabled

Designed to pair with framework-specific packs (`nextjs`, `python-fastapi`, `rust-axum`, etc.).

## Source

Rules align with OWASP guidance (Top 10 + Cheat Sheet Series): https://owasp.org/www-project-top-ten/

## License

MIT