diff --git a/.jules/rules/security.md b/.jules/rules/security.md index b6087ab..a72b718 100644 --- a/.jules/rules/security.md +++ b/.jules/rules/security.md @@ -9,7 +9,7 @@ tags: --- # 🛡️ System Security & Hardening Rules for Jules -## 🎯 1. Context & Scope +## 📝 1. Context & Scope - **Primary Goal:** Protect application data and user privacy by strictly enforcing **secure coding** practices and preventing common **OWASP Top 10** vulnerabilities. - **Target Tooling:** Jules AI agent (Security Audits, Authentication Logic Generation). - **Tech Stack Version:** Agnostic (Cybersecurity Best Practices). @@ -20,21 +20,21 @@ tags: --- -## 🌐 2. Global Threat Mitigation Protocols +## 🌍 2. Global Threat Mitigation Protocols > [!WARNING] > **Secret Leakage:** Never hardcode secrets, API keys, passwords, or tokens in the codebase. Always load sensitive data via environment variables (`process.env`) and inject them securely. -### 🛑 OWASP Top 10 Prevention +### 🛡️ OWASP Top 10 Prevention 1. **Injection (SQLi, NoSQLi, Command):** Never directly concatenate user input into database queries or shell commands. Always use parameterized queries (Prepared Statements) or an approved ORM/Query Builder. -2. **Cross-Site Scripting (XSS):** Automatically escape or sanitize all untrusted user content before rendering it in the browser. Do not use dangerously permissive innerHTML setters without a strict HTML sanitizer (like DOMPurify). +2. **Cross-Site Scripting (XSS):** Automatically escape or sanitize all untrusted user content before rendering it in the browser. Do not use unsafe innerHTML setters without a strict HTML sanitizer (like DOMPurify). 3. **Cross-Site Request Forgery (CSRF):** State-changing endpoints must require modern CSRF mitigation, such as SameSite cookies or Anti-CSRF tokens. -### 🔐 Identity & Access Management (IAM) +### 🔑 Identity & Access Management (IAM) 1. **Authentication:** Passwords must be hashed using strong, salted algorithms (e.g., Argon2, bcrypt). Plaintext passwords must never hit the database or logs. 2. **Authorization:** Implement Principle of Least Privilege (PoLP). Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) must be checked at the *server level*, not just hidden on the client UI. -### 🏛️ Security Architecture +### 🏰 Security Architecture ```mermaid graph TD @@ -45,18 +45,19 @@ graph TD D -->|Sanitized Payload| F[(Database)] D -.->|No PII Logged| G[Logs: PII Masking] - style A fill:#f9f,stroke:#333,stroke-width:2px - style B fill:#bbf,stroke:#333,stroke-width:2px - style C fill:#fbb,stroke:#333,stroke-width:2px - style D fill:#bfb,stroke:#333,stroke-width:2px - style E fill:#f00,stroke:#333,stroke-width:2px,color:#fff - style F fill:#ccc,stroke:#333,stroke-width:2px - style G fill:#ddd,stroke:#333,stroke-width:2px,stroke-dasharray: 5 5 %% Added Design Token Styles for Mermaid Diagrams classDef default fill:#e1f5fe,stroke:#03a9f4,stroke-width:2px,color:#000; classDef component fill:#e8f5e9,stroke:#4caf50,stroke-width:2px,color:#000; classDef layout fill:#f3e5f5,stroke:#9c27b0,stroke-width:2px,color:#000; + class A default; + class B layout; + class C component; + class D layout; + class E component; + class F default; + class G default; + ``` | Security Layer | Pattern/Standard | Jules Requirement | @@ -68,10 +69,13 @@ graph TD --- -## ✅ 3. Checklist for Jules Agent +## 📋 3. Checklist for Jules Agent When generating new backend endpoints, architectures, or frontend forms: - [ ] Validate and sanitize all incoming payload data against a strict schema (e.g., Zod, Class-Validator). - [ ] Ensure authentication tokens (JWT, Session IDs) are stored securely (HttpOnly, Secure, SameSite cookies). - [ ] Confirm no sensitive system stack traces or error details are returned to the client in HTTP responses. - [ ] Verify that updating or fetching a resource confirms the requesting user actually owns that resource (Insecure Direct Object Reference prevention). + +## ❓ 4. Frequently Asked Questions +- If the file is already ready, then change it according to the repository rules.