security: fix CORS, input sanitization, invite auth, and move secrets to env
- Replace wildcard CORS (Access-Control-Allow-Origin: *) with domain whitelist
across all 37 API files via shared includes/cors.php
- friends.php: sanitize PostgREST filter inputs (strip special chars from search)
- friends.php: validate UUID format for profile ID lookups
- friends.php: verify user is invite target before accept/decline (domino, ludo, chess)
- config/constants.php: read secrets from .env file or env vars (no more hardcoded keys)
- Add .env to .gitignore
Fixes WTF #5-6, #9-11
Co-Authored-By:
Claude Opus 4.6 <noreply@anthropic.com>
Showing
includes/cors.php
0 → 100644
Please register or sign in to comment