Security hardening: rate limiting, atomic locks, origin check, honest docs
API / Security: - Add api/_helpers.php: shared send_security_headers(), verify_origin(), get_hmac_secret(), check_rate_limit(), read_json_locked(), write_json_locked() - shorten.php: remove Access-Control-Allow-Origin:*, restrict to same-origin, rate-limit 20 req/h per IP, atomic JSON read+lock, HMAC secret from file - verify.php: rate-limit GET (30/min) and POST (10/h) per IP, atomic lock, prevent overwriting existing proofs, origin check on POST - node.php: fix rate limit from 1000 to 60 req/min, add security headers, origin check - check-short.php: add security headers, re-derive signature server-side - s.php: use file-based HMAC secret via get_hmac_secret(), hash_equals() for timing-safe comparison Service Worker: - sw.js: navigation requests (mode=navigate) never served from cache; network-first with offline fallback to prevent stale invoice state Documentation (honest claims): - README: tagline "No backend" -> "No tracking"; new Architecture table listing exactly what server sees for each feature; Security Model section - index.html: meta description and footer updated from "No Backend" to "Minimal Backend" - i18n.js footer: already updated in previous commit
This commit is contained in:
Alexander Schmidt
83
api/_helpers.php
Normal file
83
api/_helpers.php
Normal file
@@ -0,0 +1,83 @@
|
||||
<?php
|
||||
/**
|
||||
* Shared security helpers for xmrpay.link API
|
||||
*/
|
||||
|
||||
// ── Security headers ──────────────────────────────────────────────────────────
|
||||
function send_security_headers(): void {
|
||||
header('X-Content-Type-Options: nosniff');
|
||||
header('X-Frame-Options: DENY');
|
||||
header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');
|
||||
header('Referrer-Policy: no-referrer');
|
||||
header('Permissions-Policy: geolocation=(), microphone=(), camera=()');
|
||||
}
|
||||
|
||||
// ── Origin verification ───────────────────────────────────────────────────────
|
||||
function verify_origin(): void {
|
||||
$allowed = [
|
||||
'https://xmrpay.link',
|
||||
'http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion',
|
||||
];
|
||||
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
|
||||
// Allow same-origin (no Origin header from direct same-origin requests)
|
||||
if ($origin === '') return;
|
||||
if (!in_array($origin, $allowed, true)) {
|
||||
http_response_code(403);
|
||||
echo json_encode(['error' => 'Origin not allowed']);
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
// ── HMAC secret ───────────────────────────────────────────────────────────────
|
||||
// Auto-generated on first run, stored outside webroot in data/secret.key
|
||||
function get_hmac_secret(): string {
|
||||
$secretFile = __DIR__ . '/../data/secret.key';
|
||||
if (file_exists($secretFile)) {
|
||||
return trim(file_get_contents($secretFile));
|
||||
}
|
||||
$secret = bin2hex(random_bytes(32));
|
||||
$dir = dirname($secretFile);
|
||||
if (!is_dir($dir)) mkdir($dir, 0750, true);
|
||||
file_put_contents($secretFile, $secret, LOCK_EX);
|
||||
chmod($secretFile, 0600);
|
||||
return $secret;
|
||||
}
|
||||
|
||||
// ── Rate limiting ─────────────────────────────────────────────────────────────
|
||||
// Returns false when limit exceeded, true otherwise
|
||||
function check_rate_limit(string $action, int $limit, int $window_seconds): bool {
|
||||
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
|
||||
$rateDir = __DIR__ . '/../data/rate/';
|
||||
if (!is_dir($rateDir)) @mkdir($rateDir, 0755, true);
|
||||
$rateFile = $rateDir . $action . '_' . md5($ip) . '.json';
|
||||
$now = time();
|
||||
$times = [];
|
||||
if (file_exists($rateFile)) {
|
||||
$times = json_decode(file_get_contents($rateFile), true) ?: [];
|
||||
$times = array_values(array_filter($times, fn($t) => $t > $now - $window_seconds));
|
||||
}
|
||||
if (count($times) >= $limit) return false;
|
||||
$times[] = $now;
|
||||
file_put_contents($rateFile, json_encode($times), LOCK_EX);
|
||||
return true;
|
||||
}
|
||||
|
||||
// ── Atomic JSON read/write ────────────────────────────────────────────────────
|
||||
// Returns [file_handle, data_array] — caller must call write_json_locked() to finish
|
||||
function read_json_locked(string $file): array {
|
||||
$dir = dirname($file);
|
||||
if (!is_dir($dir)) mkdir($dir, 0750, true);
|
||||
$fp = fopen($file, 'c+');
|
||||
flock($fp, LOCK_EX);
|
||||
$size = filesize($file);
|
||||
$data = ($size > 0) ? (json_decode(fread($fp, $size), true) ?: []) : [];
|
||||
return [$fp, $data];
|
||||
}
|
||||
|
||||
function write_json_locked($fp, array $data): void {
|
||||
ftruncate($fp, 0);
|
||||
rewind($fp);
|
||||
fwrite($fp, json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT));
|
||||
flock($fp, LOCK_UN);
|
||||
fclose($fp);
|
||||
}
|
||||
Reference in New Issue
Block a user