diff --git a/system/Security/Security.php b/system/Security/Security.php
index 5e59928a2842..b0854b8967a2 100644
--- a/system/Security/Security.php
+++ b/system/Security/Security.php
@@ -97,9 +97,10 @@ class Security implements SecurityInterface
 	 * Allowed values are: None - Lax - Strict - ''.
 	 *
 	 * Defaults to `Lax` as recommended in this link:
+	 *
 	 * @see https://portswigger.net/web-security/csrf/samesite-cookies
 	 *
-       * @var string 'Lax'|'None'|'Strict'
+	 * @var string 'Lax'|'None'|'Strict'
 	 */
 	protected $samesite = 'Lax';
 
@@ -147,7 +148,7 @@ public function __construct($config)
 	 * @param RequestInterface $request
 	 *
 	 * @return $this|false
-	 * 
+	 *
 	 * @throws SecurityException
 	 *
 	 * @deprecated Use `CodeIgniter\Security\Security::verify()` instead of using this method.
@@ -193,7 +194,7 @@ public function getCSRFTokenName(): string
 	 * @param RequestInterface $request
 	 *
 	 * @return $this|false
-	 * 
+	 *
 	 * @throws SecurityException
 	 */
 	public function verify(RequestInterface $request)
@@ -354,8 +355,37 @@ public function sanitizeFilename(string $str, bool $relativePath = false): strin
 	{
 		// List of sanitize filename strings
 		$bad = [
-			'../', '<!--', '-->', '<', '>', "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', ';', '?',
-			'%20', '%22', '%3c', '%253c', '%3e', '%0e', '%28', '%29', '%2528', '%26', '%24', '%3f', '%3b', '%3d',
+			'../',
+			'<!--',
+			'-->',
+			'<',
+			'>',
+			"'",
+			'"',
+			'&',
+			'$',
+			'#',
+			'{',
+			'}',
+			'[',
+			']',
+			'=',
+			';',
+			'?',
+			'%20',
+			'%22',
+			'%3c',
+			'%253c',
+			'%3e',
+			'%0e',
+			'%28',
+			'%29',
+			'%2528',
+			'%26',
+			'%24',
+			'%3f',
+			'%3b',
+			'%3d',
 		];
 
 		if (! $relativePath)
@@ -391,8 +421,7 @@ protected function generateHash(): string
 			// We don't necessarily want to regenerate it with
 			// each page load since a page could contain embedded
 			// sub-pages causing this feature to fail
-			if (
-				isset($_COOKIE[$this->cookieName])
+			if (isset($_COOKIE[$this->cookieName])
 				&& is_string($_COOKIE[$this->cookieName])
 				&& preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->cookieName]) === 1
 			)
@@ -413,7 +442,7 @@ protected function generateHash(): string
 	 *
 	 * @param RequestInterface $request
 	 *
-	 * @return Security|false
+	 * @return             Security|false
 	 * @codeCoverageIgnore
 	 */
 	protected function sendCookie(RequestInterface $request)
@@ -434,7 +463,7 @@ protected function sendCookie(RequestInterface $request)
 		{
 			// In PHP < 7.3.0, there is a "hacky" way to set the samesite parameter
 			$samesite = '';
-			
+
 			if (! empty($this->samesite))
 			{
 				$samesite = '; samesite=' . $this->samesite;
@@ -458,6 +487,7 @@ protected function sendCookie(RequestInterface $request)
 				$params['samesite'] = $this->samesite;
 			}
 
+			// @phpstan-ignore-next-line @todo ignore to be removed in 4.1 with rector 0.9
 			setcookie($this->cookieName, $this->hash, $params);
 		}
 
diff --git a/system/Session/Session.php b/system/Session/Session.php
index fd3cc2e27009..0bc3d66cf218 100644
--- a/system/Session/Session.php
+++ b/system/Session/Session.php
@@ -125,7 +125,7 @@ class Session implements SessionInterface
 	 * Cookie SameSite setting as described in RFC6265
 	 * Must be 'None', 'Lax' or 'Strict'.
 	 *
-       * @var string 'Lax'|'None'|'Strict'
+	 * @var string 'Lax'|'None'|'Strict'
 	 */
 	protected $cookieSameSite = 'Lax';
 
@@ -1070,11 +1070,8 @@ protected function setCookie()
 				$params['samesite'] = $this->cookieSameSite;
 			}
 
-			setcookie(
-				$this->sessionCookieName,
-				session_id(),
-				$params
-			);
+			// @phpstan-ignore-next-line @todo ignore to be removed in 4.1 with rector 0.9
+			setcookie($this->sessionCookieName, session_id(), $params);
 		}
 	}