Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // Prevent direct access
- if (basename($_SERVER['PHP_SELF']) == basename(__FILE__)) {
- http_response_code(403);
- exit("Forbidden");
- }
- // Security Headers
- header('X-Frame-Options: SAMEORIGIN');
- header('X-XSS-Protection: 1; mode=block'); // Deprecated in modern browsers, consider removing
- header('X-Content-Type-Options: nosniff');
- header("Referrer-Policy: no-referrer");
- header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
- header("Strict-Transport-Security: max-age=63072000; includeSubDomains; preload"); // if HTTPS
- header("Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';");
- header_remove("X-Powered-By");
- // Error handling
- error_reporting(0); // Use E_ALL in development
- ini_set('display_errors', 0);
- ini_set('log_errors', 1);
- ini_set('error_log', __DIR__ . '/logs/security.log');
- // Secure sessions
- ini_set('session.cookie_httponly', 1);
- ini_set('session.cookie_secure', (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'));
- ini_set('session.use_only_cookies', 1);
- ini_set('session.cookie_samesite', 'Strict');
- session_name('SECURESESSIONID');
- session_start();
- // Session fixation & binding
- if (!isset($_SESSION['initiated'])) {
- session_regenerate_id(true);
- $_SESSION['initiated'] = true;
- $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'] ?? '';
- $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'] ?? '';
- } else {
- if (
- ($_SESSION['user_agent'] !== ($_SERVER['HTTP_USER_AGENT'] ?? '')) ||
- ($_SESSION['ip'] !== ($_SERVER['REMOTE_ADDR'] ?? ''))
- ) {
- session_unset();
- session_destroy();
- error_log("Session hijack attempt blocked.");
- exit("Session Error");
- }
- }
- // Input sanitization
- function clean_input($data) {
- return is_array($data)
- ? array_map('clean_input', $data)
- : htmlspecialchars(trim($data), ENT_QUOTES, 'UTF-8');
- }
- $_GET = clean_input($_GET);
- $_POST = clean_input($_POST);
- $_COOKIE = clean_input($_COOKIE);
- // Safe include
- function safe_include($file) {
- $realpath = realpath($file);
- if ($realpath && strpos($realpath, __DIR__) === 0 && pathinfo($realpath, PATHINFO_EXTENSION) === 'php') {
- include $realpath;
- } else {
- error_log("Blocked unsafe include attempt: $file");
- http_response_code(403);
- exit("Invalid include");
- }
- }
- // CSRF protection
- function generate_csrf_token() {
- if (empty($_SESSION['csrf_token'])) {
- $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
- }
- return $_SESSION['csrf_token'];
- }
- function verify_csrf_token($token) {
- return isset($_SESSION['csrf_token']) && hash_equals($_SESSION['csrf_token'], $token);
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
