# Security Notes

This LMS includes several application-level security controls, but production deployment still requires server hardening.

## Included controls

- Prepared SQL queries through PDO
- Password hashing using PHP password_hash/password_verify
- CSRF tokens on state-changing forms
- Session cookies with HttpOnly and SameSite=Strict
- Role-based access control for admin, instructor and student areas
- Login failed-attempt lockout
- Output escaping with the `e()` helper
- Security headers including CSP and X-Frame-Options
- Upload-folder execution blocking through `.htaccess`
- Audit logging for login, enrollment, content and quiz actions

## Required before public hosting

- Use HTTPS
- Change the CSRF secret in `config/config.php`
- Use a restricted MySQL user instead of root
- Change or delete all demo accounts
- Make only `/public` web-accessible where possible
- Keep `uploads/` and `storage/` writable, but keep source files read-only
- Add automatic backups
- Configure real SMTP for email verification/password reset if needed
- Integrate a verified payment gateway before selling paid courses