• Mahmoud Aglan's avatar
    security: fix CORS, input sanitization, invite auth, and move secrets to env · 03447d76
    Mahmoud Aglan authored
    - Replace wildcard CORS (Access-Control-Allow-Origin: *) with domain whitelist
      across all 37 API files via shared includes/cors.php
    - friends.php: sanitize PostgREST filter inputs (strip special chars from search)
    - friends.php: validate UUID format for profile ID lookups
    - friends.php: verify user is invite target before accept/decline (domino, ludo, chess)
    - config/constants.php: read secrets from .env file or env vars (no more hardcoded keys)
    - Add .env to .gitignore
    
    Fixes WTF #5-6, #9-11
    Co-Authored-By: 's avatarClaude Opus 4.6 <noreply@anthropic.com>
    03447d76
Name
Last commit
Last update
..
achievements.php Loading commit data...
activity.php Loading commit data...
ads.php Loading commit data...
analysis.php Loading commit data...
auth.php Loading commit data...
avatar.php Loading commit data...
backgammon-match.php Loading commit data...
battlepass.php Loading commit data...
bots.php Loading commit data...
branding.php Loading commit data...
challenges.php Loading commit data...
chat.php Loading commit data...
config.php Loading commit data...
daily-reward.php Loading commit data...
domino-match.php Loading commit data...
domino.php Loading commit data...
friends.php Loading commit data...
game.php Loading commit data...
groups.php Loading commit data...
leaderboard.php Loading commit data...
ludo-match.php Loading commit data...
ludo.php Loading commit data...
match-cleanup.php Loading commit data...
match-history.php Loading commit data...
matchmaking.php Loading commit data...
multiplayer.php Loading commit data...
notifications.php Loading commit data...
org-apply.php Loading commit data...
orgs.php Loading commit data...
profile.php Loading commit data...
puzzles.php Loading commit data...
ratings.php Loading commit data...
shop.php Loading commit data...
swiss.php Loading commit data...
theme.php Loading commit data...
tournament-match.php Loading commit data...
tournaments.php Loading commit data...