# Security Notes

- All DB access uses prepared statements via PDO to prevent SQL injection.
- CSRF protection available via `classes/Security::csrfToken()` and `validateCsrf()`.
- Output escaping is performed with `Security::escape()` or `htmlspecialchars`.
- Rate limiting placeholder exists in `config.php` to be enforced at the webserver or middleware.
- Admin panel must be protected by Sngine admin authentication—Globe AI does not implement Sngine auth.