You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .jules/rules/security.md
+18-14Lines changed: 18 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ tags:
9
9
---
10
10
# 🛡️ System Security & Hardening Rules for Jules
11
11
12
-
## 🎯 1. Context & Scope
12
+
## 📝 1. Context & Scope
13
13
-**Primary Goal:** Protect application data and user privacy by strictly enforcing **secure coding** practices and preventing common **OWASP Top 10** vulnerabilities.
14
14
-**Target Tooling:** Jules AI agent (Security Audits, Authentication Logic Generation).
15
15
-**Tech Stack Version:** Agnostic (Cybersecurity Best Practices).
@@ -20,21 +20,21 @@ tags:
20
20
21
21
---
22
22
23
-
## 🌐 2. Global Threat Mitigation Protocols
23
+
## 🌍 2. Global Threat Mitigation Protocols
24
24
25
25
> [!WARNING]
26
26
> **Secret Leakage:** Never hardcode secrets, API keys, passwords, or tokens in the codebase. Always load sensitive data via environment variables (`process.env`) and inject them securely.
27
27
28
-
### 🛑 OWASP Top 10 Prevention
28
+
### 🛡️ OWASP Top 10 Prevention
29
29
1.**Injection (SQLi, NoSQLi, Command):** Never directly concatenate user input into database queries or shell commands. Always use parameterized queries (Prepared Statements) or an approved ORM/Query Builder.
30
-
2.**Cross-Site Scripting (XSS):** Automatically escape or sanitize all untrusted user content before rendering it in the browser. Do not use dangerously permissive innerHTML setters without a strict HTML sanitizer (like DOMPurify).
30
+
2.**Cross-Site Scripting (XSS):** Automatically escape or sanitize all untrusted user content before rendering it in the browser. Do not use unsafe innerHTML setters without a strict HTML sanitizer (like DOMPurify).
31
31
3.**Cross-Site Request Forgery (CSRF):** State-changing endpoints must require modern CSRF mitigation, such as SameSite cookies or Anti-CSRF tokens.
32
32
33
-
### 🔐 Identity & Access Management (IAM)
33
+
### 🔑 Identity & Access Management (IAM)
34
34
1.**Authentication:** Passwords must be hashed using strong, salted algorithms (e.g., Argon2, bcrypt). Plaintext passwords must never hit the database or logs.
35
35
2.**Authorization:** Implement Principle of Least Privilege (PoLP). Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC) must be checked at the *server level*, not just hidden on the client UI.
36
36
37
-
### 🏛️ Security Architecture
37
+
### 🏰 Security Architecture
38
38
39
39
```mermaid
40
40
graph TD
@@ -45,18 +45,19 @@ graph TD
45
45
D -->|Sanitized Payload| F[(Database)]
46
46
D -.->|No PII Logged| G[Logs: PII Masking]
47
47
48
-
style A fill:#f9f,stroke:#333,stroke-width:2px
49
-
style B fill:#bbf,stroke:#333,stroke-width:2px
50
-
style C fill:#fbb,stroke:#333,stroke-width:2px
51
-
style D fill:#bfb,stroke:#333,stroke-width:2px
52
-
style E fill:#f00,stroke:#333,stroke-width:2px,color:#fff
53
-
style F fill:#ccc,stroke:#333,stroke-width:2px
54
-
style G fill:#ddd,stroke:#333,stroke-width:2px,stroke-dasharray: 5 5
-[ ] Confirm no sensitive system stack traces or error details are returned to the client in HTTP responses.
77
78
-[ ] Verify that updating or fetching a resource confirms the requesting user actually owns that resource (Insecure Direct Object Reference prevention).
79
+
80
+
## ❓ 4. Frequently Asked Questions
81
+
- If the file is already ready, then change it according to the repository rules.
0 commit comments