fix(security): fix host header injection in upload_audio, email header injection, add SSL verify to MTN curl

backend/upload_audio.php

@@ -58,10 +58,9 @@ try {
         exit;
     }
 
-    // Construct the link dynamically
-    $host = $_SERVER['HTTP_HOST'] ?? 'api.siromove.com';
-    $protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? "https" : "http";
-    $linkAudio = "$protocol://$host/siro/upload_audio/" . $new_filename;
+    // Construct the link (domain from env, not from Host header)
+    $appDomain = getenv('APP_DOMAIN') ?: 'api.siromove.com';
+    $linkAudio = "https://$appDomain/siro/upload_audio/" . $new_filename;
 
     uploadLog("Audio uploaded successfully: $linkAudio", 'INFO');
     echo json_encode(array('status' => 'Audio file uploaded successfully.', 'link' => $linkAudio));