# Data Protection Rules
# =====================

data_protection_rules:
  - id: SEC-021
    name: PII logging prevention
    severity: error
    description: >
      Never log passwords, tokens, credit cards, or sensitive PII.

  - id: SEC-022
    name: Sensitive data in URLs
    severity: error
    description: >
      Sensitive data should not appear in URL query parameters.
      Use POST body or headers instead.

  - id: SEC-023
    name: Mass assignment prevention
    severity: warning
    description: >
      Use explicit field assignment, not **kwargs from user input.

  - id: SEC-024
    name: Error message information leakage
    severity: error
    description: >
      Error messages should not reveal internal details.
      No stack traces to users.

  - id: SEC-025
    name: Secure cookie settings
    severity: error
    description: >
      Cookies must have Secure, HttpOnly, SameSite attributes.

  - id: SEC-026
    name: Encryption for sensitive data at rest
    severity: info
    description: >
      Consider encrypting sensitive data stored in the database.

  - id: SEC-027
    name: Data retention limits
    severity: info
    description: >
      Implement data retention policies.

  - id: SEC-028
    name: Response data filtering
    severity: warning
    description: >
      API responses should not include sensitive internal fields.
      Use Pydantic response models.

  - id: SEC-029
    name: File upload validation
    severity: error
    description: >
      Validate uploaded files by extension AND content type.
      Limit file size.

  - id: SEC-030
    name: Backup encryption
    severity: info
    description: >
      Database backups should be encrypted.