Deploy: 2026-05-21 01:58:32

backend/public/index.php

@@ -20,23 +20,20 @@ $router = new Router();
 $router->use(\App\Middlewares\SecurityMiddleware::class);
 
 // 4. Define API Routes
+// Health Check — no php_version or environment in production to avoid info disclosure
 $router->get('/api/health', function ($request, $response) {
     $response->json([
-        'status' => 'success',
-        'message' => 'Nabeh API is healthy',
-        'details' => [
-            'app_name' => getenv('APP_NAME') ?: 'Nabeh',
-            'environment' => getenv('APP_ENV') ?: 'development',
-            'php_version' => PHP_VERSION,
-            'time' => date('Y-m-d H:i:s')
-        ]
+        'status'   => 'success',
+        'message'  => 'Nabeh API is healthy',
+        'app_name' => getenv('APP_NAME') ?: 'Nabeh',
+        'time'     => date('Y-m-d H:i:s')
     ]);
 });
 
-// Authentication Routes
-$router->post('/api/auth/register', [\App\Controllers\AuthController::class, 'register']);
-$router->post('/api/auth/login', [\App\Controllers\AuthController::class, 'login']);
-$router->get('/api/auth/me', [\App\Controllers\AuthController::class, 'me'], [\App\Middlewares\AuthMiddleware::class]);
+// Authentication Routes (Rate-limited: 5 attempts per 60 seconds per IP)
+$router->post('/api/auth/register', [\App\Controllers\AuthController::class, 'register'], [\App\Middlewares\RateLimitMiddleware::class]);
+$router->post('/api/auth/login',    [\App\Controllers\AuthController::class, 'login'],    [\App\Middlewares\RateLimitMiddleware::class]);
+$router->get('/api/auth/me',        [\App\Controllers\AuthController::class, 'me'],       [\App\Middlewares\AuthMiddleware::class]);
 
 
 // 4. Dispatch the request