TMHSDigital CursorRulesFiles .cursorrules file for unknown

// Security and Privacy Rules

// Authentication & Authorization
- Implement MFA where possible
- Use OAuth 2.0 / OpenID Connect for third-party auth
- Session management:
  * Secure session storage
  * Session timeout
  * Session invalidation on logout
  * Prevent session fixation
- Role-based access control (RBAC)
- Attribute-based access control (ABAC) for complex permissions

// Data Protection
- Encryption:
  * Use AES-256 for symmetric encryption
  * Use RSA-2048 or better for asymmetric encryption
  * Implement proper key management
  * Use TLS 1.3 for data in transit
- Personal Data:
  * Implement data minimization
  * Support data export
  * Support data deletion
  * Track data access
  * Implement data retention policies

// Input Validation & Sanitization
- Validate all user inputs:
  * Size limits
  * Format validation
  * Content type validation
  * File upload validation
- Implement Content Security Policy (CSP)
- Use prepared statements for SQL
- Sanitize HTML/markdown input
- Validate JSON schemas

// Security Headers
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin

// API Security
- Rate limiting:
  * Per IP
  * Per user
  * Per endpoint
- API key management:
  * Regular rotation
  * Scope-based access
  * Key revocation
- Request validation:
  * Valid JWT
  * API key verification
  * Signature verification
  * Timestamp validation

// Secure Configuration
- Use environment variables for secrets
- Implement secrets rotation
- Regular security updates
- Disable debug endpoints in production
- Implement proper CORS policy
- Use secure cookie settings
- Enable security monitoring

// Vulnerability Management
- Regular dependency updates
- Automated vulnerability scanning
- Security patch management
- Bug bounty program guidelines
- Incident response plan
- Security logging and monitoring

// Secure Development
- Code review security checklist
- Security testing in CI/CD
- Secure coding guidelines
- Third-party code review
- Security documentation
- Developer security training