# Final Security Checklist

- All database credentials must live in `.env` only.
- Disable debug mode in production.
- Enforce authentication on Admin, Customer and Courier routes.
- Enforce authorization policies for company/customer/courier boundaries.
- Do not expose legacy uploaded SQL or source zips under public web root.
- All financial changes must be logged with user ID, timestamp and reason.
- Excel uploads must validate file type, row count and required columns.
- Uploaded files must not execute as PHP.
- Production backups must be tested by restoring to staging.