Security: Add HMAC validation for short URLs + improve privacy documentation
- Implement HMAC-SHA256 signatures on short URLs to detect server-side tampering - Add client-side signature verification with hostname-derived secret - New API endpoint: /api/check-short.php for integrity verification - Update verify.php with privacy notice (addresses not stored) - Update README to clarify minimal backend requirement (short URLs, rate caching, proof storage) - Add toast warning when signature mismatch detected - Support both old and new format in s.php for backward compatibility - Update all i18n translations (EN, DE, FR, IT, ES, PT, RU) Addresses security concern: Server compromise could previously result in address substitution for short-linked invoices. Now client-side verification detects tampering.
This commit is contained in:
Alexander Schmidt
@@ -3,6 +3,10 @@
|
||||
* TX Proof Storage API
|
||||
* POST: Store verified payment proof for an invoice
|
||||
* GET: Retrieve payment status for an invoice
|
||||
*
|
||||
* Privacy note: Only stores TX hash, amount, and confirmations.
|
||||
* Payee address is NOT stored — verification happens client-side only.
|
||||
* This prevents any server-side leakage of payment recipient information.
|
||||
*/
|
||||
|
||||
header('Content-Type: application/json');
|
||||
|
||||
Reference in New Issue
Block a user