Guide

Security

Mahaut keeps a conservative default security baseline for small PHP applications.

• Only public/ should be web-accessible.
• The framework emits security headers for dynamic responses.
• Sessions use HttpOnly, SameSite=Lax, strict mode, and HTTPS-aware Secure cookies.
• Route handlers, view names, constraints, and encoded slash parameters are guarded.
• Secrets must stay outside versioned source code.