Phase 1 โ security plumbing
Available only when APP_DEBUG=true. Remove or hide this route in production builds.
CSRF
Forms that change state must include a valid session token.
Login throttle
Identity: demo@example.com
Window: 900s ยท Max: 5
Current attempts in window: 0
Database (PDO)
Runs SELECT 1 via k2_db() with CSRF-protected POST.