Security - Documentation

✅

Content Security Policy (CSP)

Strict CSP: script-src/style-src 'self' 'unsafe-inline', img-src 'self' data:, object-src 'none', require-trusted-types-for 'script'. Blocks inline scripts from external sources.

✅

XSS Prevention

All dynamic output uses htmlspecialchars() with ENT_QUOTES | ENT_HTML5. The e() helper function enforces this. No user input is ever rendered unescaped.

✅

CSRF Protection

Token-based CSRF using generate_csrf() and validate_csrf(). Tokens stored in secure HttpOnly, Secure, SameSite=Strict sessions.

✅

SQL Injection Prevention

No raw SQL queries in codebase. When database access is added, all queries must use parameterized prepared statements via PDO or MySQLi.

✅

Brute Force Protection

File-based rate limiting via prevent_bruteforce() and log_bruteforce(). Configurable max attempts and time window per IP.

✅

HTTP Security Headers

HSTS (preload), X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy (no camera/mic/geo).

✅

Nginx Hardening

server_tokens off (hides version), API rate limiting (60 req/min), hidden file deny rule, ACME challenge allow-list only.

✅

Direct Access Prevention

All PHP includes check basename(__FILE__) === basename($_SERVER['SCRIPT_FILENAME']) and return 403 if accessed directly.

✅

Input Validation

validate_url() for path sanitization, sanitize_filename() strips non-alphanumeric chars. IP validation via filter_var().

✅

Session Security

HttpOnly, Secure, SameSite=Strict cookies. Strict mode enabled. Session IDs via random_bytes().