# Security Notes

This Laravel platform is designed around framework security defaults and shared-hosting constraints.

## Included Controls

- CSRF protection on all POST/PATCH/DELETE forms.
- Eloquent query builder usage to avoid SQL injection.
- Blade escaped output for user-facing content.
- Hashed passwords and login throttling.
- Email verification routes.
- Admin middleware and role-based access gate.
- Database sessions with encryption enabled in `.env.example`.
- Database queue/cache defaults for cPanel environments.
- Private file upload disks for leads and secure messages.
- File upload validation for document, spreadsheet, image, and PDF formats.
- Throttling on login, registration, lead capture, calculator calculation, email verification, and messaging.
- Production HTTPS forcing when `APP_URL` is HTTPS.

## Production Checklist

1. Change the seeded admin password immediately.
2. Keep `APP_DEBUG=false` in production.
3. Use PHP 8.3+ and current Composer dependencies.
4. Point the domain document root to `/public`.
5. Configure verified SMTP for email verification and lead notifications.
6. Use strong cPanel database credentials and least-privilege MySQL users.
7. Restrict direct access to project folders outside `/public`.
8. Run database backups and file backups on a fixed schedule.
9. Review admin users and lead exports regularly.
10. Add CAPTCHA or a Laravel-compatible anti-spam provider before high-volume paid traffic.