Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // Prevent direct access
- if (basename($_SERVER['PHP_SELF']) == basename(__FILE__)) {
- http_response_code(403);
- exit("Forbidden");
- }
- // Security Headers (improved)
- header('X-Frame-Options: SAMEORIGIN');
- header('X-XSS-Protection: 1; mode=block');
- header('X-Content-Type-Options: nosniff');
- header("Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self'; base-uri 'self';");
- header('Referrer-Policy: strict-origin-when-cross-origin');
- header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload'); // For HTTPS only
- header_remove("X-Powered-By");
- // Error handling
- error_reporting(0); // Set to E_ALL for development
- ini_set('display_errors', 0);
- ini_set('log_errors', 1);
- if (!is_dir(__DIR__ . '/logs')) {
- mkdir(__DIR__ . '/logs', 0700, true);
- }
- ini_set('error_log', __DIR__ . '/logs/security.log');
- // Secure sessions
- ini_set('session.cookie_httponly', 1);
- ini_set('session.cookie_secure', (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off'));
- ini_set('session.use_only_cookies', 1);
- ini_set('session.cookie_samesite', 'Strict'); // Newer PHP versions
- session_start();
- // Session fixation & binding
- if (!isset($_SESSION['initiated'])) {
- session_regenerate_id(true);
- $_SESSION['initiated'] = true;
- $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'] ?? '';
- $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'] ?? '';
- } else {
- if (
- ($_SESSION['user_agent'] !== ($_SERVER['HTTP_USER_AGENT'] ?? '')) ||
- ($_SESSION['ip'] !== ($_SERVER['REMOTE_ADDR'] ?? ''))
- ) {
- session_unset();
- session_destroy();
- error_log("Session hijack attempt blocked.");
- exit("Session Error");
- }
- }
- // Input sanitization (do not overwrite superglobals, sanitize on output/use)
- function clean_input($data) {
- return htmlspecialchars(trim($data), ENT_QUOTES, 'UTF-8');
- }
- // Safe include
- function safe_include($file) {
- $realpath = realpath($file);
- if ($realpath && strpos($realpath, __DIR__) === 0) {
- include $realpath;
- } else {
- error_log("Blocked unsafe include attempt: $file");
- http_response_code(403);
- exit("Invalid include");
- }
- }
- // CSRF token functions
- function generate_csrf_token() {
- if (empty($_SESSION['csrf_token'])) {
- $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
- }
- return $_SESSION['csrf_token'];
- }
- function verify_csrf_token($token) {
- return isset($_SESSION['csrf_token']) && hash_equals($_SESSION['csrf_token'], $token);
- }
- // Disable dangerous PHP functions (if possible)
- if (function_exists('ini_set')) {
- ini_set('disable_functions', 'exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source');
- }
- // Prevent clickjacking via JavaScript (defense-in-depth)
- echo "<script>if(top!==self)proxyLocation(top).href=self.location;</script>";
- // Ensure PHP version is up-to-date (manual check, not code)
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
