From 3fa866c3020ec8732298e972b91511340c039eb8 Mon Sep 17 00:00:00 2001
From: Jurj-Bogdan <bogdanjurj11@gmail.com>
Date: Tue, 30 Sep 2025 12:22:30 +0300
Subject: [PATCH 1/6] initial security section

Signed-off-by: Jurj-Bogdan <bogdanjurj11@gmail.com>
---
 docs/book/v6/security/security.md | 68 +++++++++++++++++++++++++++++++
 mkdocs.yml                        |  2 +
 2 files changed, 70 insertions(+)
 create mode 100644 docs/book/v6/security/security.md

diff --git a/docs/book/v6/security/security.md b/docs/book/v6/security/security.md
new file mode 100644
index 0000000..9b200d6
--- /dev/null
+++ b/docs/book/v6/security/security.md
@@ -0,0 +1,68 @@
+# Security Observations
+
+`dotkernel/admin` provides all necessary tools to implement safe applications, however you will need to manually make use of some of them.
+This section will go over the provided tools and any steps you need to follow in order to use them successfully, as well as a few general considerations.
+
+## Form Input Validation
+
+In order to create safe forms, `dotkernel/admin` makes use of [laminas/laminas-form](https://github.com/laminas/laminas-form) and [laminas/laminas-inputfilter](https://github.com/laminas/laminas-inputfilter).
+All shipped forms have their inputs validated, and it is strongly recommended any custom forms added also make use of input filters to validate user input.
+
+## Cross-Site Request Forgery Protection
+
+`dotkernel/admin` provides protection against CSRF attacks by using CSRF token creation and validation, available for all forms.
+
+All forms provided make use of CSRF token validation, but you must ensure to implement this step for any new forms you create.
+
+> This step is described in the [Set Up CSRF](../how-to/csrf.md) tutorial.
+
+## Role-Based Access Control
+
+This project makes use of [dot-rbac-guard](https://github.com/dotkernel/dot-rbac-guard) and [dot-rbac](https://github.com/dotkernel/dot-rbac) to handle access control.
+
+The default modules have already been configured, but any custom functionality will require additional configuration to make sure it is protected.
+Update the configuration files of both these packages whenever you add new routes or roles.
+
+> This step is described in the [Configure Authorizations](../how-to/authorization.md) tutorial.
+
+## Session and Cookie Settings
+
+Make sure your session cookie settings are properly set up for usage in production by reviewing the `config/autoload/session.global.php` file.
+Pay extra attention to the following keys, to make sure your desired values are set:
+
+- `session_config.cookie_httponly`
+- `session_config.cookie_samesite`
+- `session_config.cookie_secure`
+
+## Demo Credentials
+
+`Admin` ships with a demo admin account, with public identity and password.
+**Make sure to change or remove this demo account when going live.**
+
+## PHP Dependencies
+
+`dotkernel/admin` uses `composer` to handle PHP dependencies.
+In time, make sure to review any common vulnerabilities and exposures for your dependencies.
+
+> You may also keep an eye on the `dotkernel/admin` changelog for any updates relevant to your project.
+
+## JavaScript Dependencies
+
+This project uses `npm` to handle JavaScript dependencies.
+Keep an eye on any vulnerabilities whenever using `npm` to install or update packages.
+
+> You may use the `npm audit` command to check for vulnerabilities in the current `node_modules`.
+
+## General Considerations
+
+- `*.global.php` and `*.php.dist` configuration files are visible to the VCS, make sure **not** to include sensitive data in commits.
+  - `*.local.php` configuration files are ignored by the VCS by default and are the recommended place for sensitive data such as API keys.
+- Review `config/autoload/cors.global.php` to ensure your application is accessible by your preferred origins.
+- Make sure the `development mode` is correctly set - **do not** enable `development mode` in a production environment.
+  - You can use the following command to check the current status:
+
+```shell
+composer development-status
+```
+
+- `Admin` ships with a `laminas/laminas-ci` integration, consider keeping it in your custom applications to ensure code quality.
diff --git a/mkdocs.yml b/mkdocs.yml
index 427ea53..6f4134e 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -50,6 +50,8 @@ nav:
           - "Use NPM Commands": v6/how-to/npm_commands.md
           - "Inject Dependencies": v6/how-to/dependency-injection.md
           - "Set Up CSRF": v6/how-to/csrf.md
+      - Security:
+          - "Security Observations": v6/security/security.md
       - Tutorials:
           - "Creating a book module using DotMaker": v6/tutorials/create-book-module-via-dot-maker.md
 site_name: admin

From cd3e2bdfd36000048762ec5714108ff3c9ccc04f Mon Sep 17 00:00:00 2001
From: Jurj-Bogdan <bogdanjurj11@gmail.com>
Date: Tue, 30 Sep 2025 12:27:01 +0300
Subject: [PATCH 2/6] linting fix

Signed-off-by: Jurj-Bogdan <bogdanjurj11@gmail.com>
---
 docs/book/v6/security/security.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/book/v6/security/security.md b/docs/book/v6/security/security.md
index 9b200d6..60c38cc 100644
--- a/docs/book/v6/security/security.md
+++ b/docs/book/v6/security/security.md
@@ -56,10 +56,10 @@ Keep an eye on any vulnerabilities whenever using `npm` to install or update pac
 ## General Considerations
 
 - `*.global.php` and `*.php.dist` configuration files are visible to the VCS, make sure **not** to include sensitive data in commits.
-  - `*.local.php` configuration files are ignored by the VCS by default and are the recommended place for sensitive data such as API keys.
+    - `*.local.php` configuration files are ignored by the VCS by default and are the recommended place for sensitive data such as API keys.
 - Review `config/autoload/cors.global.php` to ensure your application is accessible by your preferred origins.
 - Make sure the `development mode` is correctly set - **do not** enable `development mode` in a production environment.
-  - You can use the following command to check the current status:
+    - You can use the following command to check the current status:
 
 ```shell
 composer development-status

From 27c6166807afb2c92dc58ee610758148c6eb3cc4 Mon Sep 17 00:00:00 2001
From: Jurj-Bogdan <bogdanjurj11@gmail.com>
Date: Fri, 3 Oct 2025 12:44:37 +0300
Subject: [PATCH 3/6] requested changes

Signed-off-by: Jurj-Bogdan <bogdanjurj11@gmail.com>
---
 docs/book/v6/security/{security.md => basic-security.md} | 6 ++++--
 mkdocs.yml                                               | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)
 rename docs/book/v6/security/{security.md => basic-security.md} (89%)

diff --git a/docs/book/v6/security/security.md b/docs/book/v6/security/basic-security.md
similarity index 89%
rename from docs/book/v6/security/security.md
rename to docs/book/v6/security/basic-security.md
index 60c38cc..be5ae8a 100644
--- a/docs/book/v6/security/security.md
+++ b/docs/book/v6/security/basic-security.md
@@ -1,4 +1,4 @@
-# Security Observations
+# Basic Security Observations
 
 `dotkernel/admin` provides all necessary tools to implement safe applications, however you will need to manually make use of some of them.
 This section will go over the provided tools and any steps you need to follow in order to use them successfully, as well as a few general considerations.
@@ -65,4 +65,6 @@ Keep an eye on any vulnerabilities whenever using `npm` to install or update pac
 composer development-status
 ```
 
-- `Admin` ships with a `laminas/laminas-ci` integration, consider keeping it in your custom applications to ensure code quality.
+- `Admin` ships with a [Laminas Continuous Integration GitHub Action](https://github.com/laminas/laminas-continuous-integration-action), consider keeping it in your custom applications to ensure code quality.
+
+> Read more about the benefits of using [Laminas Continuous Integration](https://getlaminas.org/blog/2024-09-26-using-laminas-continuous-delivery-and-deployment.html).
diff --git a/mkdocs.yml b/mkdocs.yml
index 6f4134e..134bdc8 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -51,7 +51,7 @@ nav:
           - "Inject Dependencies": v6/how-to/dependency-injection.md
           - "Set Up CSRF": v6/how-to/csrf.md
       - Security:
-          - "Security Observations": v6/security/security.md
+          - "Basic Security Observations": v6/security/basic-security.md
       - Tutorials:
           - "Creating a book module using DotMaker": v6/tutorials/create-book-module-via-dot-maker.md
 site_name: admin

From 1d7dc824142e91a0f9e18e346da2c8d8b6907711 Mon Sep 17 00:00:00 2001
From: Jurj-Bogdan <bogdanjurj11@gmail.com>
Date: Fri, 3 Oct 2025 14:05:12 +0300
Subject: [PATCH 4/6] wording and article change

Signed-off-by: Jurj-Bogdan <bogdanjurj11@gmail.com>
---
 docs/book/v6/security/basic-security.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/book/v6/security/basic-security.md b/docs/book/v6/security/basic-security.md
index be5ae8a..23dda99 100644
--- a/docs/book/v6/security/basic-security.md
+++ b/docs/book/v6/security/basic-security.md
@@ -65,6 +65,6 @@ Keep an eye on any vulnerabilities whenever using `npm` to install or update pac
 composer development-status
 ```
 
-- `Admin` ships with a [Laminas Continuous Integration GitHub Action](https://github.com/laminas/laminas-continuous-integration-action), consider keeping it in your custom applications to ensure code quality.
+- `Admin` ships with a [Laminas Continuous Integration](https://github.com/laminas/laminas-continuous-integration-action) GitHub Action, consider keeping it in your custom applications to ensure code quality.
 
-> Read more about the benefits of using [Laminas Continuous Integration](https://getlaminas.org/blog/2024-09-26-using-laminas-continuous-delivery-and-deployment.html).
+> Read more about using [Laminas Continuous Integration](https://getlaminas.org/blog/2024-08-05-using-laminas-continuous-integration.html).

From 36198ecd9775f9989d8632d571e4864de68cd6d6 Mon Sep 17 00:00:00 2001
From: Jurj-Bogdan <bogdanjurj11@gmail.com>
Date: Fri, 3 Oct 2025 17:33:56 +0300
Subject: [PATCH 5/6] note regarding gh action

Signed-off-by: Jurj-Bogdan <bogdanjurj11@gmail.com>
---
 docs/book/v6/security/basic-security.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/book/v6/security/basic-security.md b/docs/book/v6/security/basic-security.md
index 23dda99..7326a92 100644
--- a/docs/book/v6/security/basic-security.md
+++ b/docs/book/v6/security/basic-security.md
@@ -65,6 +65,7 @@ Keep an eye on any vulnerabilities whenever using `npm` to install or update pac
 composer development-status
 ```
 
-- `Admin` ships with a [Laminas Continuous Integration](https://github.com/laminas/laminas-continuous-integration-action) GitHub Action, consider keeping it in your custom applications to ensure code quality.
+- `Admin` ships with a [Laminas Continuous Integration](https://github.com/laminas/laminas-continuous-integration-action) GitHub Action,
+if you are using a public repository consider keeping it in your custom applications to ensure code quality.
 
 > Read more about using [Laminas Continuous Integration](https://getlaminas.org/blog/2024-08-05-using-laminas-continuous-integration.html).

From 294184b61f9cce3848efb4f6d2cdbcd8ec0a9df8 Mon Sep 17 00:00:00 2001
From: Jurj-Bogdan <bogdanjurj11@gmail.com>
Date: Mon, 6 Oct 2025 12:32:01 +0300
Subject: [PATCH 6/6] page title change

Signed-off-by: Jurj-Bogdan <bogdanjurj11@gmail.com>
---
 docs/book/v6/security/basic-security.md | 2 +-
 mkdocs.yml                              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/book/v6/security/basic-security.md b/docs/book/v6/security/basic-security.md
index 7326a92..a622815 100644
--- a/docs/book/v6/security/basic-security.md
+++ b/docs/book/v6/security/basic-security.md
@@ -1,4 +1,4 @@
-# Basic Security Observations
+# Basic Security
 
 `dotkernel/admin` provides all necessary tools to implement safe applications, however you will need to manually make use of some of them.
 This section will go over the provided tools and any steps you need to follow in order to use them successfully, as well as a few general considerations.
diff --git a/mkdocs.yml b/mkdocs.yml
index 134bdc8..4953a1d 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -51,7 +51,7 @@ nav:
           - "Inject Dependencies": v6/how-to/dependency-injection.md
           - "Set Up CSRF": v6/how-to/csrf.md
       - Security:
-          - "Basic Security Observations": v6/security/basic-security.md
+          - "Basic Security": v6/security/basic-security.md
       - Tutorials:
           - "Creating a book module using DotMaker": v6/tutorials/create-book-module-via-dot-maker.md
 site_name: admin