This document defines mandatory security measures for deploying and maintaining the LIMS platform in production.

• Never commit .env or any environment-specific configuration to version control
• Each environment (local, staging, production) must have unique keys
• Rotate all credentials and API keys quarterly
• Restrict .env file permissions:

  chmod 600 .env
  chown www-data:www-data .env
  

• All traffic must use HTTPS; enable HSTS (HTTP Strict Transport Security)
• Use valid SSL certificates (Let's Encrypt or commercial CA)
• Redirect all HTTP requests → HTTPS in the web server configuration
• Block mixed-content warnings (no insecure external assets)

• Authentication via Laravel Breeze (session-based guard)
• Authorization handled by Spatie Permission

• All Blade forms include @csrf token
• CSRF protection enabled globally via web middleware
• Sessions configured to use Secure and HttpOnly cookies

SESSION_DRIVER=file
SESSION_SECURE_COOKIE=true
SESSION_SAME_SITE=strict

• Use least-privilege MySQL users (read/write separated if possible)
• Enforce strict column validation in migrations and models
• Always validate and sanitize user input in controllers
• Run periodic audits using composer audit and npm audit

• Limit upload MIME types and file size
• Store uploads in storage/app/public and link with php artisan storage:link
• Never allow executable file uploads (.php, .js, .exe, etc.)
• Regularly clean unused uploads and temporary files

• All authentication and critical CRUD actions logged via Laravel log channels
• Rotate logs weekly or use a centralized system (e.g., Loki / ELK stack)
• Periodically review:
  • Failed logins
  • Admin route access
  • Inventory or report exports