Security hardening: CSRF protection, secure sessions, and defense-in-depth headers

[Copilot]

Security audit identified missing CSRF protection, insecure session configuration, and information leakage through error messages.

Changes

CSRF Protection

• Added token generation endpoint (csrf_token.php) using cryptographically secure random_bytes()
• Token validation in AjaxForm.php with timing-safe hash_equals() comparison
• Client-side token fetch and submission in AjaxForm.js

// CSRF validation before processing
if (!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || 
    !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    respond(false, RESPONSES['csrf_error']);
}

Session Security

• Configured secure cookie attributes: httponly, secure, samesite=Strict
• Session ID regeneration on initialization to prevent fixation attacks
• Cookie domain properly excludes port numbers

Information Disclosure

• Generic error messages returned to clients
• Detailed errors logged via error_log() for admin debugging
• Applies to SMTP failures and reCAPTCHA verification errors

Defense-in-Depth Headers

• X-Frame-Options: DENY
• X-Content-Type-Options: nosniff
• X-XSS-Protection: 1; mode=block
• Referrer-Policy: strict-origin-when-cross-origin
• Subresource Integrity hashes on external CDN resources
• Apache .htaccess rules for server-level enforcement

Documentation

• SECURITY.md documents vulnerabilities, fixes, and deployment recommendations

Original prompt

Vérifier les failles de sécurité dans ce repository

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.