From 8af74f0621f79b7b09b5d617e08979dbb5405d25 Mon Sep 17 00:00:00 2001
From: Hamza-Ayed <hamzaayedflutter@gmail.com>
Date: Sun, 3 May 2026 20:51:50 +0300
Subject: [PATCH] Update: 2026-05-03 20:51:50

---
 app/bootstrap/init.php         | 19 +++++++++++++++++--
 app/core/Security.php          | 16 +++++++++++++---
 app/modules_app/auth/login.php |  8 +++++++-
 3 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/app/bootstrap/init.php b/app/bootstrap/init.php
index 3a50d6b..5031bd5 100644
--- a/app/bootstrap/init.php
+++ b/app/bootstrap/init.php
@@ -5,12 +5,27 @@
 
 declare(strict_types=1);
 
-// 1. Constants
+// 1. Error Reporting (Secure for production)
+if (env('APP_DEBUG', 'false') === 'true') {
+    error_reporting(E_ALL);
+    ini_set('display_errors', '1');
+} else {
+    error_reporting(0);
+    ini_set('display_errors', '0');
+}
+
+// 2. Security Headers
+header("X-Content-Type-Options: nosniff");
+header("X-Frame-Options: DENY");
+header("X-XSS-Protection: 1; mode=block");
+header("Referrer-Policy: strict-origin-when-cross-origin");
+
+// 3. Constants
 define('ROOT_PATH', dirname(__DIR__, 2));
 define('APP_PATH', ROOT_PATH . '/app');
 define('STORAGE_PATH', ROOT_PATH . '/storage');
 
-// 2. Load Environment Variables
+// 3. Environment Loader
 require_once APP_PATH . '/bootstrap/env.php';
 
 // 3. Common Helpers
diff --git a/app/core/Security.php b/app/core/Security.php
index a68fdf9..f8192c7 100644
--- a/app/core/Security.php
+++ b/app/core/Security.php
@@ -9,12 +9,22 @@ namespace App\Core;
 
 final class Security
 {
-    public static function sanitize(string $data): string
+    /**
+     * Recursively sanitize input data (strings and arrays)
+     */
+    public static function sanitize($data)
     {
-        return htmlspecialchars(strip_tags(trim($data)));
+        if (is_array($data)) {
+            foreach ($data as $key => $value) {
+                $data[$key] = self::sanitize($value);
+            }
+        } else if (is_string($data)) {
+            $data = htmlspecialchars(strip_tags(trim($data)), ENT_QUOTES, 'UTF-8');
+        }
+        return $data;
     }
 
-    public static function generateRandomString(int $length = 32): string
+    public static function generateRandomString(int $length = 64): string
     {
         return bin2hex(random_bytes($length / 2));
     }
diff --git a/app/modules_app/auth/login.php b/app/modules_app/auth/login.php
index de5baa7..ed1aba5 100644
--- a/app/modules_app/auth/login.php
+++ b/app/modules_app/auth/login.php
@@ -7,7 +7,13 @@ use App\Core\Database;
 use App\Core\JWT;
 use App\Core\Validator;
 
-$data = input();
+use App\Middleware\RateLimitMiddleware;
+use App\Core\Security;
+
+// 0. Rate Limiting (5 attempts per minute per IP)
+RateLimitMiddleware::check(5, 60);
+
+$data = Security::sanitize(input());
 
 // 1. Validation
 $errors = Validator::validate($data, [