Update: 2026-06-16 02:14:34

walletintaleq.intaleq.xyz/v2/main/loginWallet.php

@@ -36,6 +36,12 @@ header('Content-Type: application/json');
 header("Access-Control-Allow-Origin: https://wallet.sefer.live");  // Replace * with your Flutter app's origin
 header("Access-Control-Allow-Methods: POST, OPTIONS");
 header("Access-Control-Allow-Headers: Content-Type, Authorization");
+// MED FIX: إضافة Security Headers
+header('X-Content-Type-Options: nosniff');
+header('X-Frame-Options: DENY');
+header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
+header("Referrer-Policy: strict-origin-when-cross-origin");
+header("X-XSS-Protection: 1; mode=block");
 
 // Handle preflight OPTIONS requests
 if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
@@ -123,13 +129,13 @@ $hmac = hash_hmac('sha256', $id, getenv('SECRET_KEY_HMAC'));
  }
 
 } catch (InvalidArgumentException $e) {
-    // Handle input validation errors
-    http_response_code(400); // Bad Request - Client-side error
-  //  error_log("Input validation error: " . $e->getMessage());  // Log for debugging
-    echo json_encode(['error' => $e->getMessage()]);  // Specific error message
+    // HIGH-05 FIX: لا تكشف رسائل الخطأ من الاستثناءات مباشرة
+    error_log("Input validation error: " . $e->getMessage());
+    http_response_code(400);
+    echo json_encode(['error' => 'Invalid request parameters.']);
 } catch (Exception $e) {
-    // Handle other exceptions (e.g., JWT encoding errors)
-    http_response_code(500); // Internal Server Error
-  //  error_log("Server error: " . $e->getMessage()); // Log for debugging
-    echo json_encode(['error' => 'An unexpected error occurred.']); // Generic message
-}
+    // HIGH-05 FIX: لا تكشف رسائل الخطأ الداخلية
+    error_log("Server error: " . $e->getMessage());
+    http_response_code(500);
+    echo json_encode(['error' => 'An unexpected error occurred.']);
+}