# Security Plan - Kevron Suites & Apartments

## 1. Input Validation and Sanitisation

* **Server-Side Validation**: Rely on strict Laravel `FormRequest` validation classes enforcing required fields, string limits, date comparisons, and numeric parameters on every input pipeline.
* **MIME Validation & Secure File Uploads**:
  * Guest identification uploads and bank transfer receipt images must strictly limit extensions (JPG, PNG, PDF only).
  * Enforce standard maximum upload limits (e.g. `max:4096` KB) to prevent disk space exhaustion.
  * Store files in a private secure storage disk and authenticate resource reads using custom gateway controllers.
* **XSS Protections**: Always escape values in Blade structures using double curly brackets `{{ $var }}`. Run manual string sanitization filters on all forms containing text area summaries.

---

## 2. Dynamic Rate Limiting & CAPTCHA

* **Rate Limiting Middleware**:
  * Apply Laravel standard rate-limit configurations (`throttle:6,1`) to high-risk gateways: Guest Login, Admin Access, Password Recovery.
  * Apply `throttle:15,1` on booking inquiries and general contact forms.
* **Spam Protection**: Implement Cloudflare Turnstile or hCaptcha placeholders. Securely process token verification server-side prior to validating any reservation transaction.

---

## 3. Server Security Headers & Session Safety

Add a lightweight secure middleware script applying proper standard response security headers globally:
* `Content-Security-Policy (CSP)`: Constrain allowed sources for scripts, styles, images, and fonts to prevent script injections.
* `X-Frame-Options: DENY`: Disable site framing to prevent clickjacking exploits.
* `X-Content-Type-Options: nosniff`: Prevent browser mime sniffing.
* `Referrer-Policy: strict-origin-when-cross-origin`
* `Permissions-Policy`: Limit browser API access (geolocation, camera, microphone) except on active opt-in.

---

## 4. Administrative Audit Logs & Data Protection

* **Filament Audit Logs**: Keep detailed immutable log lists tracking:
  * Super Admin log-ins and profile modifications.
  * Unit price alterations.
  * Status transformations (e.g., changing check-out rules, override schedules).
  * Manual booking adjustments or cancellations.
* **Sensitive Data Security**:
  * Hash all password fields using `bcrypt` (default Laravel provider).
  * Maintain database configurations inside `.env`. Never commit database details or production keys to source control.