214d96ee8d
- C1: Hash refresh tokens before DB storage (sha256) - C2: Remove JWT_SECRET fallback, fail hard if missing - H1: Enforce HTTP methods per route (405 on mismatch) - H2: CORS with origin whitelist from CORS_ORIGIN env var - H3: Redact sensitive fields (tokens, passwords) from logs - M1: Build HmacMiddleware with replay attack prevention - M2: Fix rate limiter race condition with flock LOCK_EX - M3: Guard dd() — suppressed in production - M4: Remove .env from git tracking, strengthen .gitignore - I1: Add HSTS header (max-age=31536000)
41 lines
1.2 KiB
PHP
41 lines
1.2 KiB
PHP
<?php
|
|
/**
|
|
* Global Helper Functions
|
|
*/
|
|
|
|
if (!function_exists('env')) {
|
|
function env(string $key, $default = null) {
|
|
return $_ENV[$key] ?? $default;
|
|
}
|
|
}
|
|
|
|
if (!function_exists('input')) {
|
|
function input(string $key = null, $default = null) {
|
|
static $inputData = null;
|
|
if ($inputData === null) {
|
|
$json = file_get_contents('php://input');
|
|
$inputData = array_merge($_GET, $_POST, json_decode($json, true) ?? []);
|
|
}
|
|
|
|
if ($key === null) return $inputData;
|
|
return $inputData[$key] ?? $default;
|
|
}
|
|
}
|
|
|
|
if (!function_exists('dd')) {
|
|
// M3 Fix: Guard dd() so it never leaks data in production
|
|
function dd(...$vars) {
|
|
if (env('APP_DEBUG', 'false') !== 'true') {
|
|
error_log('dd() called in production — suppressed. Check your code.');
|
|
json_error('Internal Server Error', 500);
|
|
}
|
|
header('Content-Type: text/html; charset=utf-8');
|
|
foreach ($vars as $v) {
|
|
echo "<pre style='background:#1e1e1e;color:#d4d4d4;padding:1rem;border-radius:4px;'>";
|
|
var_dump($v);
|
|
echo "</pre>";
|
|
}
|
|
die();
|
|
}
|
|
}
|