• Mahmoud Aglan's avatar
    security: fix CORS, input sanitization, invite auth, and move secrets to env · 03447d76
    Mahmoud Aglan authored
    - Replace wildcard CORS (Access-Control-Allow-Origin: *) with domain whitelist
      across all 37 API files via shared includes/cors.php
    - friends.php: sanitize PostgREST filter inputs (strip special chars from search)
    - friends.php: validate UUID format for profile ID lookups
    - friends.php: verify user is invite target before accept/decline (domino, ludo, chess)
    - config/constants.php: read secrets from .env file or env vars (no more hardcoded keys)
    - Add .env to .gitignore
    
    Fixes WTF #5-6, #9-11
    Co-Authored-By: 's avatarClaude Opus 4.6 <noreply@anthropic.com>
    03447d76
profile.php 10.6 KB