# XploitScan security rules (legacy .cursorrules format)
# Modern format: .cursor/rules/xploitscan-security.mdc — see https://xploitscan.com/cursor

When generating or modifying any backend, API, auth, payment, config, or DB code, follow these security rules. Source: https://xploitscan.com

1. WEBHOOKS MUST BE SIGNATURE-VERIFIED
   - Stripe: use stripe.webhooks.constructEvent with the raw body and signature header. Use express.raw, not express.json. Never trust event.type from req.body without verification.
   - Clerk / GitHub / Resend / SendGrid webhooks: same rule, use the provider's verify function.
   - Throw / return 400 on verification failure. Never fall through.

2. NO HARDCODED SECRETS
   - No string literal API keys, tokens, passwords, JWT secrets, DB URLs, or webhook secrets in source.
   - .env.example must contain placeholder values like "your_api_key_here", never real secrets.
   - Read all secrets from process.env at runtime.

3. EVERY API ROUTE NEEDS EXPLICIT AUTH
   - Verify identity at the top of the handler before any DB query.
   - Check role / permissions / resource ownership before reading or writing.
   - For object access, verify caller.id === resource.userId (IDOR is the top vibe-coded vulnerability).

4. NO STRING-CONCATENATED SQL
   - Always use parameterized queries / ORM bind parameters.
   - Forbidden: `SELECT * FROM users WHERE id = ${id}`
   - Required: db.query('SELECT * FROM users WHERE id = $1', [id])

5. CORS WILDCARDS WITH CREDENTIALS ARE FORBIDDEN
   - Never combine Access-Control-Allow-Origin: * with Allow-Credentials: true.
   - Allowlist exact origins.

6. SSRF: VALIDATE USER-CONTROLLED URLS BEFORE FETCH OR REDIRECT
   - Reject private CIDRs (10/8, 172.16/12, 192.168/16, 127/8, 169.254.169.254).
   - Allowlist destinations for redirect handlers.

7. NEVER PUT SESSION TOKENS IN LOCALSTORAGE
   - Use HttpOnly secure cookies. Same for React Native AsyncStorage.

8. NEVER eval / new Function / exec WITH USER INPUT
   - Use execFile with arg arrays, not exec with concatenated strings.

9. SET SECURITY HEADERS BY DEFAULT
   - CSP, HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy. Use helmet() for Express, headers() in next.config.js.

10. dangerouslySetInnerHTML / v-html REQUIRE DOMPurify

11. JWT.VERIFY, NEVER JWT.DECODE
    - Always pin algorithms: jwt.verify(token, secret, { algorithms: ['HS256'] })

12. DON'T LOG SECRETS
    - Strip password, token, secret, apiKey, authorization, ssn, creditCard before any log call.

If unsure, scan with: npx xploitscan scan .
