• Mahmoud Aglan's avatar
    security: fix CORS, input sanitization, invite auth, and move secrets to env · 03447d76
    Mahmoud Aglan authored
    - Replace wildcard CORS (Access-Control-Allow-Origin: *) with domain whitelist
      across all 37 API files via shared includes/cors.php
    - friends.php: sanitize PostgREST filter inputs (strip special chars from search)
    - friends.php: validate UUID format for profile ID lookups
    - friends.php: verify user is invite target before accept/decline (domino, ludo, chess)
    - config/constants.php: read secrets from .env file or env vars (no more hardcoded keys)
    - Add .env to .gitignore
    
    Fixes WTF #5-6, #9-11
    Co-Authored-By: 's avatarClaude Opus 4.6 <noreply@anthropic.com>
    03447d76
Name
Last commit
Last update
.claude Loading commit data...
ChessPieces Loading commit data...
Connections and docs Loading commit data...
Logo El3ab Loading commit data...
admin Loading commit data...
api Loading commit data...
app icons Loading commit data...
config Loading commit data...
docs Loading commit data...
includes Loading commit data...
ludo-playtest Loading commit data...
promo Loading commit data...
public Loading commit data...
screenshots Loading commit data...
test-screenshots Loading commit data...
.gitignore Loading commit data...
.htaccess Loading commit data...
ARCHITECTURE.md Loading commit data...
ASSET_REGISTRY.json Loading commit data...
ASSET_REGISTRY.md Loading commit data...
BUILD_ORDER.md Loading commit data...
DATABASE_REFERENCE.md Loading commit data...
DESIGN.md Loading commit data...
Dockerfile Loading commit data...
MULTIPLAYER_RULES.md Loading commit data...
PLAN.md Loading commit data...
ROADMAP.md Loading commit data...
Stockfishbotsapi.txt Loading commit data...
WTF.md Loading commit data...
backgammon-test.mjs Loading commit data...
bell.png Loading commit data...
captain-definition Loading commit data...
chess-sync-test.mjs Loading commit data...
index.php Loading commit data...
logof.png Loading commit data...
manifest.json Loading commit data...
package-lock.json Loading commit data...
package.json Loading commit data...
privacy-policy.php Loading commit data...
qr-code.png Loading commit data...
terms.php Loading commit data...
test-tournament-swiss.mjs Loading commit data...
test-tournament-ui.mjs Loading commit data...