2c3a8a0584
API / Security: - Add api/_helpers.php: shared send_security_headers(), verify_origin(), get_hmac_secret(), check_rate_limit(), read_json_locked(), write_json_locked() - shorten.php: remove Access-Control-Allow-Origin:*, restrict to same-origin, rate-limit 20 req/h per IP, atomic JSON read+lock, HMAC secret from file - verify.php: rate-limit GET (30/min) and POST (10/h) per IP, atomic lock, prevent overwriting existing proofs, origin check on POST - node.php: fix rate limit from 1000 to 60 req/min, add security headers, origin check - check-short.php: add security headers, re-derive signature server-side - s.php: use file-based HMAC secret via get_hmac_secret(), hash_equals() for timing-safe comparison Service Worker: - sw.js: navigation requests (mode=navigate) never served from cache; network-first with offline fallback to prevent stale invoice state Documentation (honest claims): - README: tagline "No backend" -> "No tracking"; new Architecture table listing exactly what server sees for each feature; Security Model section - index.html: meta description and footer updated from "No Backend" to "Minimal Backend" - i18n.js footer: already updated in previous commit
1.4 KiB
1.4 KiB