antoniojps · April 9, 2017 14:50
diff --git a/php-security.php b/php-security.php
 /*

 HTTPS no Domain
 Rate limiting
 PDO Prepared statements
 # Hash sensitive data
 # Check the ORIGIN header
 Check the REFERER header
  If the Origin header is not present, verify the hostname in the 
  Referer header matches the site's origin.
  Checking the HTTP_REFERER is also quite simple in PHP with $_SERVER['HTTP_REFERER'].
 # Generate CSRF tokens (Cross-site request forgery)
 Validate user input.
 Never trust user input


 */

 // Password Hash

 // Hashing:
 password_hash(userInput,PASSWORD_DEFAULT);

 // Verification:
 password_verify( userInput, hashedPassword);
 


 // #. Check the ORIGIN header

 header('Content-Type: application/json');

 if (isset($_SERVER['HTTP_ORIGIN'])) {
    $address = 'http://' . $_SERVER['SERVER_NAME'];
    if (strpos($address, $_SERVER['HTTP_ORIGIN']) !== 0) {
        exit(json_encode([
            'error' => 'Invalid Origin header: ' . $_SERVER['HTTP_ORIGIN']
        ]));
    }
 } else {
    exit(json_encode(['error' => 'No Origin header']));
 }

 // #. Generate CSRF tokens (Cross-site request forgery)

  // GENERATE TOKEN
  
 session_start();
 if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
 }

 // Adicionar meta as views 
  
 <meta name="csrf-token" content="<?= $_SESSION['csrf_token'] ?>">
  
 // Setup jQuery ajax calls to include this token :
  
 $.ajaxSetup({
    headers : {
        'CsrfToken': $('meta[name="csrf-token"]').attr('content')
    }
 });

 // Server-side check your AJAX requests :

 session_start();
 if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
 }

 header('Content-Type: application/json');

 $headers = apache_request_headers();
 if (isset($headers['CsrfToken'])) {
    if ($headers['CsrfToken'] !== $_SESSION['csrf_token']) {
        exit(json_encode(['error' => 'Wrong CSRF token.']));
    }
 } else {
    exit(json_encode(['error' => 'No CSRF token.']));
 }
	/*

	HTTPS no Domain
	Rate limiting
	PDO Prepared statements
	# Hash sensitive data
	# Check the ORIGIN header
	Check the REFERER header
	If the Origin header is not present, verify the hostname in the
	Referer header matches the site's origin.
	Checking the HTTP_REFERER is also quite simple in PHP with $_SERVER['HTTP_REFERER'].
	# Generate CSRF tokens (Cross-site request forgery)
	Validate user input.
	Never trust user input


	*/

	// Password Hash

	// Hashing:
	password_hash(userInput,PASSWORD_DEFAULT);

	// Verification:
	password_verify( userInput, hashedPassword);



	// #. Check the ORIGIN header

	header('Content-Type: application/json');

	if (isset($_SERVER['HTTP_ORIGIN'])) {
	$address = 'http://' . $_SERVER['SERVER_NAME'];
	if (strpos($address, $_SERVER['HTTP_ORIGIN']) !== 0) {
	exit(json_encode([
	'error' => 'Invalid Origin header: ' . $_SERVER['HTTP_ORIGIN']
	]));
	}
	} else {
	exit(json_encode(['error' => 'No Origin header']));
	}

	// #. Generate CSRF tokens (Cross-site request forgery)

	// GENERATE TOKEN

	session_start();
	if (empty($_SESSION['csrf_token'])) {
	$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
	}

	// Adicionar meta as views

	<meta name="csrf-token" content="<?= $_SESSION['csrf_token'] ?>">

	// Setup jQuery ajax calls to include this token :

	$.ajaxSetup({
	headers : {
	'CsrfToken': $('meta[name="csrf-token"]').attr('content')
	}
	});

	// Server-side check your AJAX requests :

	session_start();
	if (empty($_SESSION['csrf_token'])) {
	$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
	}

	header('Content-Type: application/json');

	$headers = apache_request_headers();
	if (isset($headers['CsrfToken'])) {
	if ($headers['CsrfToken'] !== $_SESSION['csrf_token']) {
	exit(json_encode(['error' => 'Wrong CSRF token.']));
	}
	} else {
	exit(json_encode(['error' => 'No CSRF token.']));
	}