This skeleton is a starting point, not a complete application security layer.
Do not commit:
.envor deployment config with real values- API keys, OAuth secrets, private tokens, passwords, or certificates
- production logs, cache files, uploads, media libraries, and database dumps
- copied project documentation that contains names, domains, client data, or private workflow notes
- Apache can use the included
.htaccessrules. - Nginx needs equivalent
serverorlocationrules. - Deny direct web access to VCS metadata, logs, config files, SQL dumps, backups, and temporary files.
- The tracked
cfg/.htaccessdenies direct Apache access tocfg/. - Use HTTPS in production.
- Treat
clean_all_inputs()as a small skeleton helper, not a complete security model. - Escape output according to context: HTML, attributes, URLs, JavaScript, or JSON.
- Add CSRF protection before enabling state-changing forms.
- Add authentication and authorization before adding private pages.
- Validate uploaded files by size, extension, MIME type, storage path, and access policy.
- Add a real session policy before building account features.
The skeleton intentionally avoids package manager assumptions. If a downstream project adds dependencies, commit lock files and document the install process.