Hamza/musadaq-saas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update: 2026-05-08 04:58:23

Browse Source
This commit is contained in:
Hamza-Ayed
2026-05-08 04:58:23 +03:00
parent 4721ca83da
commit 6db8986fca
48 changed files with 2212 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
app/bootstrap/init.php
View File

@@ -13,6 +13,7 @@ define('STORAGE_PATH', ROOT_PATH . '/storage');
// 2. Load Environment & Helpers FIRST
require_once APP_PATH . '/bootstrap/env.php';
require_once APP_PATH . '/helpers/helpers.php';
require_once APP_PATH . '/helpers/pagination.php';
// Load Composer Autoloader
$vendorAutoload = ROOT_PATH . '/vendor/autoload.php';
@@ -25,8 +26,7 @@ $dirs = ['/cache', '/logs', '/invoices', '/exports'];
foreach ($dirs as $d) {
$path = STORAGE_PATH . $d;
if (!is_dir($path)) {
mkdir($path, 0777, true);
chmod($path, 0777);
mkdir($path, 0755, true);
}
}
@@ -66,7 +66,27 @@ header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: SAMEORIGIN");
header("X-XSS-Protection: 1; mode=block");
header("Referrer-Policy: strict-origin-when-cross-origin");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains"); // I1 Fix: HSTS
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");
header("Permissions-Policy: camera=(), microphone=(), geolocation=()");
// CSP: Allow self + known CDNs (Tailwind, Alpine, Google Fonts)
$csp = "default-src 'self'; "
. "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.tailwindcss.com https://unpkg.com; "
. "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "
. "font-src 'self' https://fonts.gstatic.com; "
. "img-src 'self' data:; "
. "connect-src 'self';";
header("Content-Security-Policy: $csp");
// 6. Request body size limit (2MB for JSON, file uploads handled separately)
if (isset($_SERVER['CONTENT_LENGTH']) && (int)$_SERVER['CONTENT_LENGTH'] > 2 * 1024 * 1024) {
if (empty($_FILES)) { // Don't block file uploads
http_response_code(413);
header('Content-Type: application/json');
echo json_encode(['success' => false, 'message' => 'Request body too large'], JSON_UNESCAPED_UNICODE);
exit;
}
}
// 6. PSR-4 Autoloader (PascalCase-aware for Linux compatibility)
spl_autoload_register(function ($class) {