GithubHelp home page GithubHelp logo

ivan-sincek / secure-website Goto Github PK

View Code? Open in Web Editor NEW
21.0 2.0 6.0 1.67 MB

Secure website with a registration, sign in, session management, and CRUD controls.

License: MIT License

PHP 85.61% CSS 13.62% JavaScript 0.77%
php website registration sign-in session-management crud-controls php-data-object css-flexbox apache hardening ssl-certificate tls-certificate ethical-hacking security offensive-security defensive-security penetration-testing red-team-engagement

secure-website's Introduction

Secure Website

Secure website with a registration, sign in, session management, and CRUD controls. No framework was used.

Used PHP Data Objects (PDO) for securely accessing a database in PHP (MySQL database included).

Used CSS Flexbox for the responsive design.

All the scripts are successfully validated with Markup Validation Service.

Built with security in mind. The following attacks are prevented in the code:

And, many more attacks are prevented through hardening.

Tested on XAMPP for Windows v7.4.3 (64-bit) with Chrome v104.0.5112.102 (64-bit) and Firefox v104.0 (64-bit).

Made for educational purposes. I hope it will help!

How to Run

Import \db\secure_website.sql to your database server.

Copy all the content from \src\ to your server's web root directory (e.g. to \xampp\htdocs\ on XAMPP).

Change the database settings inside \src\php\config.ini as necessary.

Check the sign in credentials here.

Navigate to the website with your preferred web browser.


On web servers other than XAMPP (Apache) you might need to load Multibyte String librabry in PHP.

In XAMPP it is as simple as uncommenting extension=mbstring in php.ini.

Apache Hardening

From your Apache directory, open \conf\httpd.conf:

Disable HTTP TRACE method. Navigate to Supplemental configuration section and add new configuration TraceEnable Off.

Prevent directory listing. Navigate to DocumentRoot section and remove Indexes from Options Indexes FollowSymLinks Includes ExecCGI.

Prevent clickjacking attacks. Navigate to Supplemental configuration section and add new configuration Header always set X-Frame-Options "DENY".

Set Content Security Policy (CSP). The following configuration will only allow you to load resources from your own domain. Navigate to Supplemental configuration section and add new configuration Header always set Content-Security-Policy "default-src 'self'". Search the Internet for more Content Security Policy options. Check CSP validator here.

Block MIME sniffing. Navigate to Supplemental configuration section and add new configuration Header always set X-Content-Type-Options "nosniff".

Enforce cross-site scripting (XSS) filter. Navigate to Supplemental configuration section and add new configuration Header always set X-XSS-Protection "1; mode=block".

Prevent cross-site request forgery. The following configuration will not allow request from other websites (i.e. cross-site request). Navigate to Supplemental configuration section and add new configurations Header always set Access-Control-Allow-Origin "https://securewebsite.com" - where https://securewebsite.com is your own domain name.

Set rate limiting. This is more of a denial-of-service (DoS) protection. Comment out mod_ratelimit.so extension, and add the follow code to the end of the file (this is speed in KiB/s, not number of requests; this will also affect the page load speed):

<Location />
	SetOutputFilter RATE_LIMIT
	SetEnv rate-limit 1024
</Location>

From your Apache directory, open \conf\extra\httpd-autoindex.conf:

Prevent '/icons/' directory listing. Comment out Alias /icons/ "C:/xampp/apache/icons/".


From your Apache directory, open \conf\extra\httpd-default.conf:

Prevent version disclosure. Set ServerTokens to Prod and ServerSignature to Off.

Mitigate Slow Loris and other DoS attacks. Lower Timeout to 60.


From your Apache directory, open \conf\extra\httpd-info.conf:

Disable '/server-status' page. Comment out entire <Location /server-status> element.

PHP Hardening

From your PHP directory, open php.ini:

Prevent version disclosure. Set expose_php to Off.

Prevent display errors information disclosure. Set both display_errors and display_startup_errors to Off.

Set the correct server's timezone. Set both instances of date.timezone to your timezone. Search the Internet for a list of supported timezones in PHP.

Set the session cookie's name. Set session.name to your own desired value. In addition to this website, it is also set here.

Set the session cookie's lifetime. Set session.cookie_lifetime to your own desired value. In addition to this website, it is also set here.

Set the session cookie's HttpOnly flag. The following configuration will not allow client side scripts to access the session cookie. Set session.cookie_httponly to 1. In addition to this website, it is also set here.

Use strict session mode. Set session.use_strict_mode to 1.

Disable file uploads. Do the following only if your website does not utilize file uploads. Set file_uploads to Off.

Prevent remote file inclusion. Set allow_url_fopen to Off.

Disable dangerous PHP functions. Set disable_functions to eval;exec;shell_exec;curl_exec;passthru;system;proc_open;popen. Search the Internet for additional dangerous PHP functions.

SSL/TLS Certificate

Find out how to create an SSL/TLS certificate here.

Images

Home Page

Figure 1 - Home Page

Registration

Figure 2 - Registration

Users Table

Figure 3 - Users Table

Responsive Design

Figure 4 - Responsive Design

secure-website's People

Contributors

ivan-sincek avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.