Phase 7 · Security & monitoring

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: Phase 7 · Security & monitoring
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 7
- est_time: 6–10 hr
- description: Harden the deployed app (rotate vendor defaults, TLS/HSTS, security headers, rate limits, session/mass-assignment audit), add an audit trail, then make it observable — off-server backups, Sentry, uptime, logs — and close out the legal layer (GDPR, cookie consent) and compliance tracks (SOC 2 / HIPAA).
- tags: codecanyon, laravel, security, monitoring

## Execution rules (binding)
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# Phase 7 · Security & monitoring

Four jobs, in order: **harden** the deployed app, give it an **audit trail**, make it **observable**, then settle the **legal & compliance** layer. Don't monitor an insecure target — security comes first, then observability watches what you secured, and the legal pages make launch lawful. The observability half is an *insertable gate*: rehearse the stack on staging, or wire the real thing on production.

<StageFlow
  title="Phase 7 — secure, observe, then comply"
  caption="Security precedes observability precedes legal. Each node is a gate, not a suggestion — alerts with no escalation path are just dashboards nobody watches."
  stages={[
    { label: 'Harden', sub: 'rotate · throttle · audit', tone: 'core' },
    { label: 'Headers + HTTPS', sub: 'TLS · HSTS · CSP' },
    { label: 'Audit trail', sub: 'activity log' },
    { label: 'Backups + observe', sub: 'Sentry · uptime · logs', tone: 'core' },
    { label: 'Legal + comply', sub: 'GDPR · SOC2 · HIPAA', tone: 'good' },
  ]}
/>

:::note[Gate]
Vendor default credentials rotated, sessions and mass-assignment audited, TLS/HSTS + security headers live, activity logging capturing changes and auth events. **Automated daily backups to off-server storage**, Sentry tracking errors with release health, uptime monitoring with escalation, and log aggregation in place. Privacy/Terms hosted, cookie consent live, GDPR export + deletion working; compliance tracks scoped.
:::

:::note[Idempotent server installs (S10)]
**One `schedule:run` cron per server** — install in [Phase 5 · Secure & verify schema](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/05-secure-verify-schema/) using `crontab -l | grep -v 'schedule:run' ; echo … | crontab -`. Later phases **verify** (`grep -c` must be `1`), never paste a second line. Same rule for `.env` keys: `grep -q '^KEY=' file || echo … >> file`.
:::

## Pages in this phase

<CardGrid>
  <LinkCard title="1 · Harden first" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/" description="Rotate every vendor default, rate limits, file permissions, mass-assignment & session audit." />
  <LinkCard title="2 · Security headers & packages" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/" description="HTTPS + HSTS, .htaccess + middleware headers, force HTTPS, PII encryption, strong passwords." />
  <LinkCard title="3 · Activity logging" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/03-activity-logging/" description="Spatie Activity Log: model changes, auth events, GDPR actions, scheduled cleanup." />
  <LinkCard title="4 · Off-server backups" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/04-backups/" description="The MUST: Spatie Laravel Backup → S3/Spaces/B2/R2 daily, 3-2-1 rule, restore drills." />
  <LinkCard title="5 · Observability" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/05-observability/" description="Full Sentry (crons, perf, release health), log aggregation, uptime + health endpoint, alert escalation." />
  <LinkCard title="6 · Legal, privacy & GDPR" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/06-legal-gdpr/" description="Generate + host Privacy/Terms, cookie consent, GDPR export + deletion, ROPA + DPAs." />
  <LinkCard title="7 · Compliance tracks" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/07-compliance/" description="Reference: when SOC 2 and HIPAA apply, what they cost, and the platforms that automate them." />
</CardGrid>

Start with **[Harden first](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/)** — never monitor a target you haven't secured.

# Phase 7 · Security & monitoring

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/

Four jobs, in order: **harden** the deployed app, give it an **audit trail**, make it **observable**, then settle the **legal & compliance** layer. Don't monitor an insecure target — security comes first, then observability watches what you secured, and the legal pages make launch lawful. The observability half is an *insertable gate*: rehearse the stack on staging, or wire the real thing on production.

<StageFlow
  title="Phase 7 — secure, observe, then comply"
  caption="Security precedes observability precedes legal. Each node is a gate, not a suggestion — alerts with no escalation path are just dashboards nobody watches."
  stages={[
    { label: 'Harden', sub: 'rotate · throttle · audit', tone: 'core' },
    { label: 'Headers + HTTPS', sub: 'TLS · HSTS · CSP' },
    { label: 'Audit trail', sub: 'activity log' },
    { label: 'Backups + observe', sub: 'Sentry · uptime · logs', tone: 'core' },
    { label: 'Legal + comply', sub: 'GDPR · SOC2 · HIPAA', tone: 'good' },
  ]}
/>

:::note[Gate]
Vendor default credentials rotated, sessions and mass-assignment audited, TLS/HSTS + security headers live, activity logging capturing changes and auth events. **Automated daily backups to off-server storage**, Sentry tracking errors with release health, uptime monitoring with escalation, and log aggregation in place. Privacy/Terms hosted, cookie consent live, GDPR export + deletion working; compliance tracks scoped.
:::

:::note[Idempotent server installs (S10)]
**One `schedule:run` cron per server** — install in [Phase 5 · Secure & verify schema](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/05-secure-verify-schema/) using `crontab -l | grep -v 'schedule:run' ; echo … | crontab -`. Later phases **verify** (`grep -c` must be `1`), never paste a second line. Same rule for `.env` keys: `grep -q '^KEY=' file || echo … >> file`.
:::

## Pages in this phase

<CardGrid>
  <LinkCard title="1 · Harden first" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/" description="Rotate every vendor default, rate limits, file permissions, mass-assignment & session audit." />
  <LinkCard title="2 · Security headers & packages" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/" description="HTTPS + HSTS, .htaccess + middleware headers, force HTTPS, PII encryption, strong passwords." />
  <LinkCard title="3 · Activity logging" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/03-activity-logging/" description="Spatie Activity Log: model changes, auth events, GDPR actions, scheduled cleanup." />
  <LinkCard title="4 · Off-server backups" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/04-backups/" description="The MUST: Spatie Laravel Backup → S3/Spaces/B2/R2 daily, 3-2-1 rule, restore drills." />
  <LinkCard title="5 · Observability" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/05-observability/" description="Full Sentry (crons, perf, release health), log aggregation, uptime + health endpoint, alert escalation." />
  <LinkCard title="6 · Legal, privacy & GDPR" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/06-legal-gdpr/" description="Generate + host Privacy/Terms, cookie consent, GDPR export + deletion, ROPA + DPAs." />
  <LinkCard title="7 · Compliance tracks" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/07-compliance/" description="Reference: when SOC 2 and HIPAA apply, what they cost, and the platforms that automate them." />
</CardGrid>

Start with **[Harden first](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/)** — never monitor a target you haven't secured.

Four jobs, in order: harden the deployed app, give it an audit trail, make it observable, then settle the legal & compliance layer. Don’t monitor an insecure target — security comes first, then observability watches what you secured, and the legal pages make launch lawful. The observability half is an insertable gate: rehearse the stack on staging, or wire the real thing on production.

Phase 7 — secure, observe, then comply

Security precedes observability precedes legal. Each node is a gate, not a suggestion — alerts with no escalation path are just dashboards nobody watches.

Pages in this phase

1 · Harden first Rotate every vendor default, rate limits, file permissions, mass-assignment & session audit.

2 · Security headers & packages HTTPS + HSTS, .htaccess + middleware headers, force HTTPS, PII encryption, strong passwords.

3 · Activity logging Spatie Activity Log: model changes, auth events, GDPR actions, scheduled cleanup.

4 · Off-server backups The MUST: Spatie Laravel Backup → S3/Spaces/B2/R2 daily, 3-2-1 rule, restore drills.

5 · Observability Full Sentry (crons, perf, release health), log aggregation, uptime + health endpoint, alert escalation.

6 · Legal, privacy & GDPR Generate + host Privacy/Terms, cookie consent, GDPR export + deletion, ROPA + DPAs.

7 · Compliance tracks Reference: when SOC 2 and HIPAA apply, what they cost, and the platforms that automate them.

Start with Harden first — never monitor a target you haven’t secured.

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: Phase 7 · Security & monitoring
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 7
- est_time: 6–10 hr
- description: Harden the deployed app (rotate vendor defaults, TLS/HSTS, security headers, rate limits, session/mass-assignment audit), add an audit trail, then make it observable — off-server backups, Sentry, uptime, logs — and close out the legal layer (GDPR, cookie consent) and compliance tracks (SOC 2 / HIPAA).
- tags: codecanyon, laravel, security, monitoring

## Execution rules (binding)
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# Phase 7 · Security & monitoring

Four jobs, in order: **harden** the deployed app, give it an **audit trail**, make it **observable**, then settle the **legal & compliance** layer. Don't monitor an insecure target — security comes first, then observability watches what you secured, and the legal pages make launch lawful. The observability half is an *insertable gate*: rehearse the stack on staging, or wire the real thing on production.

<StageFlow
  title="Phase 7 — secure, observe, then comply"
  caption="Security precedes observability precedes legal. Each node is a gate, not a suggestion — alerts with no escalation path are just dashboards nobody watches."
  stages={[
    { label: 'Harden', sub: 'rotate · throttle · audit', tone: 'core' },
    { label: 'Headers + HTTPS', sub: 'TLS · HSTS · CSP' },
    { label: 'Audit trail', sub: 'activity log' },
    { label: 'Backups + observe', sub: 'Sentry · uptime · logs', tone: 'core' },
    { label: 'Legal + comply', sub: 'GDPR · SOC2 · HIPAA', tone: 'good' },
  ]}
/>

:::note[Gate]
Vendor default credentials rotated, sessions and mass-assignment audited, TLS/HSTS + security headers live, activity logging capturing changes and auth events. **Automated daily backups to off-server storage**, Sentry tracking errors with release health, uptime monitoring with escalation, and log aggregation in place. Privacy/Terms hosted, cookie consent live, GDPR export + deletion working; compliance tracks scoped.
:::

:::note[Idempotent server installs (S10)]
**One `schedule:run` cron per server** — install in [Phase 5 · Secure & verify schema](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/05-secure-verify-schema/) using `crontab -l | grep -v 'schedule:run' ; echo … | crontab -`. Later phases **verify** (`grep -c` must be `1`), never paste a second line. Same rule for `.env` keys: `grep -q '^KEY=' file || echo … >> file`.
:::

## Pages in this phase

<CardGrid>
  <LinkCard title="1 · Harden first" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/" description="Rotate every vendor default, rate limits, file permissions, mass-assignment & session audit." />
  <LinkCard title="2 · Security headers & packages" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/" description="HTTPS + HSTS, .htaccess + middleware headers, force HTTPS, PII encryption, strong passwords." />
  <LinkCard title="3 · Activity logging" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/03-activity-logging/" description="Spatie Activity Log: model changes, auth events, GDPR actions, scheduled cleanup." />
  <LinkCard title="4 · Off-server backups" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/04-backups/" description="The MUST: Spatie Laravel Backup → S3/Spaces/B2/R2 daily, 3-2-1 rule, restore drills." />
  <LinkCard title="5 · Observability" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/05-observability/" description="Full Sentry (crons, perf, release health), log aggregation, uptime + health endpoint, alert escalation." />
  <LinkCard title="6 · Legal, privacy & GDPR" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/06-legal-gdpr/" description="Generate + host Privacy/Terms, cookie consent, GDPR export + deletion, ROPA + DPAs." />
  <LinkCard title="7 · Compliance tracks" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/07-compliance/" description="Reference: when SOC 2 and HIPAA apply, what they cost, and the platforms that automate them." />
</CardGrid>

Start with **[Harden first](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/)** — never monitor a target you haven't secured.

# Phase 7 · Security & monitoring

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/

Four jobs, in order: **harden** the deployed app, give it an **audit trail**, make it **observable**, then settle the **legal & compliance** layer. Don't monitor an insecure target — security comes first, then observability watches what you secured, and the legal pages make launch lawful. The observability half is an *insertable gate*: rehearse the stack on staging, or wire the real thing on production.

<StageFlow
  title="Phase 7 — secure, observe, then comply"
  caption="Security precedes observability precedes legal. Each node is a gate, not a suggestion — alerts with no escalation path are just dashboards nobody watches."
  stages={[
    { label: 'Harden', sub: 'rotate · throttle · audit', tone: 'core' },
    { label: 'Headers + HTTPS', sub: 'TLS · HSTS · CSP' },
    { label: 'Audit trail', sub: 'activity log' },
    { label: 'Backups + observe', sub: 'Sentry · uptime · logs', tone: 'core' },
    { label: 'Legal + comply', sub: 'GDPR · SOC2 · HIPAA', tone: 'good' },
  ]}
/>

:::note[Gate]
Vendor default credentials rotated, sessions and mass-assignment audited, TLS/HSTS + security headers live, activity logging capturing changes and auth events. **Automated daily backups to off-server storage**, Sentry tracking errors with release health, uptime monitoring with escalation, and log aggregation in place. Privacy/Terms hosted, cookie consent live, GDPR export + deletion working; compliance tracks scoped.
:::

:::note[Idempotent server installs (S10)]
**One `schedule:run` cron per server** — install in [Phase 5 · Secure & verify schema](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/05-secure-verify-schema/) using `crontab -l | grep -v 'schedule:run' ; echo … | crontab -`. Later phases **verify** (`grep -c` must be `1`), never paste a second line. Same rule for `.env` keys: `grep -q '^KEY=' file || echo … >> file`.
:::

## Pages in this phase

<CardGrid>
  <LinkCard title="1 · Harden first" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/" description="Rotate every vendor default, rate limits, file permissions, mass-assignment & session audit." />
  <LinkCard title="2 · Security headers & packages" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/02-security-headers-packages/" description="HTTPS + HSTS, .htaccess + middleware headers, force HTTPS, PII encryption, strong passwords." />
  <LinkCard title="3 · Activity logging" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/03-activity-logging/" description="Spatie Activity Log: model changes, auth events, GDPR actions, scheduled cleanup." />
  <LinkCard title="4 · Off-server backups" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/04-backups/" description="The MUST: Spatie Laravel Backup → S3/Spaces/B2/R2 daily, 3-2-1 rule, restore drills." />
  <LinkCard title="5 · Observability" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/05-observability/" description="Full Sentry (crons, perf, release health), log aggregation, uptime + health endpoint, alert escalation." />
  <LinkCard title="6 · Legal, privacy & GDPR" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/06-legal-gdpr/" description="Generate + host Privacy/Terms, cookie consent, GDPR export + deletion, ROPA + DPAs." />
  <LinkCard title="7 · Compliance tracks" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/07-compliance/" description="Reference: when SOC 2 and HIPAA apply, what they cost, and the platforms that automate them." />
</CardGrid>

Start with **[Harden first](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/07-security-monitoring/01-harden/)** — never monitor a target you haven't secured.