Security hardening: CSRF protection, secure sessions, and defense-in-depth headers

.htaccess

@@ -0,0 +1,36 @@
+# Security headers for Apache
+# Add these security headers to all responses
+
+<IfModule mod_headers.c>
+    # Prevent MIME type sniffing
+    Header always set X-Content-Type-Options "nosniff"
+
+    # Prevent clickjacking attacks
+    Header always set X-Frame-Options "DENY"
+
+    # Enable XSS filter
+    Header always set X-XSS-Protection "1; mode=block"
+
+    # Control referrer information
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
+    # Remove server signature
+    Header always unset X-Powered-By
+    Header unset X-Powered-By
+</IfModule>
+
+# Disable directory browsing
+Options -Indexes
+
+# Prevent access to hidden files and directories
+<FilesMatch "^\.">
+    Require all denied
+</FilesMatch>
+
+# Disable server signature
+ServerSignature Off
+
+# Protect configuration files
+<FilesMatch "^(composer\.json|composer\.lock|package\.json|package-lock\.json|\.env)$">
+    Require all denied
+</FilesMatch>

AjaxForm.js

@@ -34,6 +34,18 @@ document.addEventListener('DOMContentLoaded', () => {
     const alertContainer = document.getElementById('alert-status');
 
     let isSubmitting = false; // Prevent duplicate submissions
+    let csrfToken = null; // Will be fetched on page load
+
+    // Fetch CSRF token on page load
+    (async () => {
+        try {
+            const response = await fetch('csrf_token.php');
+            const data = await response.json();
+            csrfToken = data.csrf_token;
+        } catch (error) {
+            console.error('Failed to fetch CSRF token:', error);
+        }
+    })();
 
     // 2. Setup live validation (show green/red feedback as user types)
     form.querySelectorAll('input, select, textarea').forEach((field) => {
@@ -115,8 +127,14 @@ document.addEventListener('DOMContentLoaded', () => {
                 }
             });
 
-            // Add token to form data
+            // Add reCAPTCHA token to form data
             formData.append('recaptcha_token', recaptchaToken);
+
+            // Add CSRF token to form data for security
+            if (!csrfToken) {
+                throw new Error('⚠️ Security token not available. Please refresh the page.');
+            }
+            formData.append('csrf_token', csrfToken);
 
             // Step 3: Send form data to backend
             const response = await fetch(backendURL, {

AjaxForm.php

@@ -12,11 +12,37 @@
 
 declare(strict_types=1);
 
-// Start session (required for rate limiting)
+// Start session (required for rate limiting) with secure cookie settings
 if (session_status() === PHP_SESSION_NONE) {
+    // Configure secure session parameters
+    // Extract hostname without port for cookie domain
+    $host = $_SERVER['HTTP_HOST'] ?? '';
+    $cookieDomain = preg_replace('/:\d+$/', '', $host); // Remove port if present
+
+    $sessionCookieParams = [
+        'lifetime' => 0,                    // Session cookie (expires on browser close)
+        'path'     => '/',
+        'domain'   => $cookieDomain,
+        'secure'   => isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off',  // HTTPS only
+        'httponly' => true,                 // Prevent JavaScript access
+        'samesite' => 'Strict'              // CSRF protection
+    ];
+    session_set_cookie_params($sessionCookieParams);
     session_start();
+
+    // Regenerate session ID to prevent session fixation attacks
+    if (!isset($_SESSION['initiated'])) {
+        session_regenerate_id(true);
+        $_SESSION['initiated'] = true;
+    }
 }
 
+// Security headers
+header('X-Content-Type-Options: nosniff');
+header('X-Frame-Options: DENY');
+header('X-XSS-Protection: 1; mode=block');
+header('Referrer-Policy: strict-origin-when-cross-origin');
+
 // Always return responses as JSON
 header('Content-Type: application/json');
 
@@ -62,6 +88,7 @@
     'constant_error'   => '⚠️ Missing configuration constants.',
     'honeypot_error'   => '🚫 Spam detected.',
     'limit_rate_error' => '🚫 Too many messages sent. Please try again later.',
+    'csrf_error'       => '⚠️ Invalid security token. Please refresh the page.',
 ];
 
 // ============================================================================
@@ -81,6 +108,12 @@
     respond(false, RESPONSES['method_error']);
 }
 
+// Verify CSRF token to prevent cross-site request forgery
+if (!isset($_POST['csrf_token']) || !isset($_SESSION['csrf_token']) || 
+    !hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
+    respond(false, RESPONSES['csrf_error']);
+}
+
 // Block suspicious User-Agents (bots, scrapers, command-line tools)
 $userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';
 if ($userAgent === '' || preg_match('/\b(curl|wget|bot|crawler|spider)\b/i', $userAgent)) {
@@ -165,7 +198,10 @@
 
 } catch (Exception $e) {
     // Email sending failed (SMTP error, network issue, etc.)
-    respond(false, '❌ Mail error: ' . $e->getMessage(), 'email');
+    // Log the detailed error for administrators
+    error_log('Contact form mail error: ' . $e->getMessage());
+    // Return generic error to users to avoid information disclosure
+    respond(false, '❌ Unable to send email. Please try again later.', 'email');
 }
 
 // ============================================================================
@@ -220,37 +256,43 @@ function validateRecaptcha(string $token): void
 
     // Check 1: cURL request succeeded
     if ($response === false) {
-        respond(false, '❌ reCAPTCHA request failed: ' . ($curlError ?: 'Unknown cURL error.'));
+        error_log('reCAPTCHA cURL error: ' . ($curlError ?: 'Unknown error'));
+        respond(false, '❌ Unable to verify reCAPTCHA. Please try again.');
     }
 
     // Check 2: Google returned HTTP 200
     if ($httpCode !== 200) {
-        respond(false, '❌ reCAPTCHA HTTP error: ' . $httpCode);
+        error_log('reCAPTCHA HTTP error: ' . $httpCode);
+        respond(false, '❌ Unable to verify reCAPTCHA. Please try again.');
     }
 
     $data = json_decode($response, true);
 
     // Check 3: Valid JSON response
     if (json_last_error() !== JSON_ERROR_NONE || !is_array($data)) {
-        respond(false, '❌ Invalid JSON response from reCAPTCHA.');
+        error_log('reCAPTCHA invalid JSON response');
+        respond(false, '❌ Unable to verify reCAPTCHA. Please try again.');
     }
 
     // Check 4: Google says token is valid
     if (empty($data['success'])) {
         $errors = isset($data['error-codes']) ? implode(', ', $data['error-codes']) : 'Unknown error.';
-        respond(false, '❌ reCAPTCHA verification failed: ' . $errors);
+        error_log('reCAPTCHA verification failed: ' . $errors);
+        respond(false, '❌ reCAPTCHA verification failed. Please try again.');
     }
 
     // Check 5: Action matches (prevents token reuse across different forms)
     $expectedAction = 'submit';
     if (($data['action'] ?? '') !== $expectedAction) {
-        respond(false, '❌ reCAPTCHA action mismatch.');
+        error_log('reCAPTCHA action mismatch: expected ' . $expectedAction . ', got ' . ($data['action'] ?? 'none'));
+        respond(false, '❌ reCAPTCHA verification failed. Please try again.');
     }
 
     // Check 6: Hostname matches (prevents token theft from other sites)
     $expectedHost = $_SERVER['SERVER_NAME'] ?? '';
     if (!empty($expectedHost) && ($data['hostname'] ?? '') !== $expectedHost) {
-        respond(false, '❌ reCAPTCHA hostname mismatch.');
+        error_log('reCAPTCHA hostname mismatch: expected ' . $expectedHost . ', got ' . ($data['hostname'] ?? 'none'));
+        respond(false, '❌ reCAPTCHA verification failed. Please try again.');
     }
 
     // Check 7: Score is above minimum threshold (0.0 = bot, 1.0 = human)

SECURITY.md

@@ -0,0 +1,115 @@
+# Security Improvements Report
+
+This document outlines the security vulnerabilities that were identified and fixed in the Contact-Form-PHP repository.
+
+## Summary
+
+A comprehensive security audit was performed on the codebase, and several security improvements were implemented to enhance the security posture of the application.
+
+## Security Vulnerabilities Fixed
+
+### 1. Insecure Session Configuration (HIGH)
+
+**Issue**: Sessions were started without secure cookie parameters, making them vulnerable to session hijacking attacks.
+
+**Fix**: 
+- Added secure session cookie configuration with the following parameters:
+  - `secure`: Set to `true` when using HTTPS
+  - `httponly`: Set to `true` to prevent JavaScript access
+  - `samesite`: Set to `Strict` for CSRF protection
+- Implemented session regeneration to prevent session fixation attacks
+
+**Files Modified**: `AjaxForm.php`, `csrf_token.php`
+
+### 2. Missing CSRF Protection (HIGH)
+
+**Issue**: The contact form did not have CSRF (Cross-Site Request Forgery) protection, making it vulnerable to attacks where malicious sites could submit forms on behalf of users.
+
+**Fix**:
+- Implemented CSRF token generation and validation
+- Created a new endpoint (`csrf_token.php`) to provide secure CSRF tokens
+- Added CSRF token validation using timing-safe comparison (`hash_equals()`)
+- Modified the JavaScript to fetch and include CSRF tokens in form submissions
+
+**Files Modified**: `AjaxForm.php`, `AjaxForm.js`
+**Files Created**: `csrf_token.php`
+
+### 3. Information Disclosure (MEDIUM)
+
+**Issue**: Detailed error messages from exceptions were being returned to users, potentially revealing sensitive information about the SMTP configuration, internal paths, or system details.
+
+**Fix**:
+- Changed error handling to return generic error messages to users
+- Added `error_log()` calls to log detailed error information for administrators
+- Implemented generic error messages for all reCAPTCHA verification failures
+
+**Files Modified**: `AjaxForm.php`
+
+### 4. Missing Security Headers (MEDIUM)
+
+**Issue**: The application was missing important security headers that help prevent various attacks.
+
+**Fix**:
+- Added the following security headers to all PHP responses:
+  - `X-Content-Type-Options: nosniff` - Prevents MIME type sniffing
+  - `X-Frame-Options: DENY` - Prevents clickjacking attacks
+  - `X-XSS-Protection: 1; mode=block` - Enables XSS filtering
+  - `Referrer-Policy: strict-origin-when-cross-origin` - Controls referrer information
+- Added equivalent meta tags to HTML pages
+- Added Subresource Integrity (SRI) hashes to external scripts and stylesheets
+
+**Files Modified**: `AjaxForm.php`, `csrf_token.php`, `index.html`
+
+## Security Features Already Present
+
+The following security features were already implemented in the codebase:
+
+1. **XSS Protection**: All user inputs are sanitized using `htmlspecialchars()` with proper flags
+2. **Email Validation**: Robust email validation using PHP's `FILTER_VALIDATE_EMAIL` and DNS checks
+3. **reCAPTCHA v3**: Bot protection with score-based verification
+4. **Rate Limiting**: Session-based rate limiting to prevent spam
+5. **Honeypot**: Anti-bot protection using a hidden field
+6. **Input Sanitization**: Control characters and null bytes are removed from inputs
+7. **User-Agent Filtering**: Blocks known bot user agents
+
+## Vulnerabilities Not Present
+
+The following potential vulnerabilities were checked and confirmed as not present:
+
+- **SQL Injection**: No database usage in the application
+- **Command Injection**: No use of dangerous PHP functions like `eval()`, `system()`, `exec()`
+- **File Inclusion**: No dynamic file inclusion vulnerabilities
+- **Path Traversal**: No file system operations based on user input
+
+## Testing
+
+All security improvements were tested and verified:
+
+1. PHP syntax validation passed for all PHP files
+2. CSRF token endpoint tested and confirmed working
+3. Form page loads correctly with all security headers
+4. CodeQL security scanner found no vulnerabilities in JavaScript code
+
+## Recommendations
+
+1. **Use HTTPS**: Ensure the application is always served over HTTPS in production
+2. **Keep Dependencies Updated**: Regularly update PHPMailer and Bootstrap to patch any security vulnerabilities
+3. **Monitor Error Logs**: Regularly review error logs for any suspicious activity
+4. **Configure SMTP Credentials Securely**: Store SMTP credentials in environment variables or a secure configuration file outside the web root
+5. **Enable PHP Error Logging**: Configure PHP to log errors to files rather than displaying them to users
+6. **Implement Content Security Policy**: Consider adding a CSP header to further prevent XSS attacks
+7. **Regular Security Audits**: Perform regular security audits and penetration testing
+
+## Security Best Practices Followed
+
+- ✅ Defense in depth: Multiple layers of security controls
+- ✅ Principle of least privilege: Minimal permissions required
+- ✅ Fail securely: All errors result in secure default behavior
+- ✅ Don't trust user input: All inputs are validated and sanitized
+- ✅ Use secure defaults: All security features enabled by default
+- ✅ Keep it simple: Simple, maintainable security code
+- ✅ Fix security issues properly: No workarounds or band-aids
+
+## Conclusion
+
+The Contact-Form-PHP application now implements industry-standard security practices and is protected against common web vulnerabilities. All identified security issues have been addressed, and the application follows security best practices for PHP web applications.

csrf_token.php

@@ -0,0 +1,55 @@
+<?php
+
+/**
+ * CSRF Token Provider
+ * Returns a secure CSRF token for form submission
+ *
+ * @author   Raspgot <contact@raspgot.fr>
+ * @link     https://github.com/raspgot/Contact-Form-PHP
+ * @version  1.7.5
+ */
+
+declare(strict_types=1);
+
+// Start session with secure cookie settings
+if (session_status() === PHP_SESSION_NONE) {
+    // Configure secure session parameters
+    // Extract hostname without port for cookie domain
+    $host = $_SERVER['HTTP_HOST'] ?? '';
+    $cookieDomain = preg_replace('/:\d+$/', '', $host); // Remove port if present
+
+    $sessionCookieParams = [
+        'lifetime' => 0,                    // Session cookie (expires on browser close)
+        'path'     => '/',
+        'domain'   => $cookieDomain,
+        'secure'   => isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off',  // HTTPS only
+        'httponly' => true,                 // Prevent JavaScript access
+        'samesite' => 'Strict'              // CSRF protection
+    ];
+    session_set_cookie_params($sessionCookieParams);
+    session_start();
+
+    // Regenerate session ID to prevent session fixation attacks
+    if (!isset($_SESSION['initiated'])) {
+        session_regenerate_id(true);
+        $_SESSION['initiated'] = true;
+    }
+}
+
+// Security headers
+header('X-Content-Type-Options: nosniff');
+header('X-Frame-Options: DENY');
+header('X-XSS-Protection: 1; mode=block');
+header('Referrer-Policy: strict-origin-when-cross-origin');
+
+// Always return responses as JSON
+header('Content-Type: application/json');
+
+// Generate and return CSRF token
+if (!isset($_SESSION['csrf_token'])) {
+    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
+}
+
+echo json_encode([
+    'csrf_token' => $_SESSION['csrf_token']
+]);

index.html

@@ -3,10 +3,15 @@
     <head>
         <meta charset="utf-8" />
         <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <!-- Security headers -->
+        <meta http-equiv="X-Content-Type-Options" content="nosniff" />
+        <meta http-equiv="X-Frame-Options" content="DENY" />
+        <meta http-equiv="X-XSS-Protection" content="1; mode=block" />
+        <meta name="referrer" content="strict-origin-when-cross-origin" />
         <title>Contact Form</title>
 
         <!-- Bootstrap CSS -->
-        <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" />
+        <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-7L0hCaLdJnFzHBMHePIYXDdeMmZmhWA/DwQnZGzzLTsJXNYBUwxZ2dRc9nxQnqnL" crossorigin="anonymous" />
     </head>
 
     <body>
@@ -75,7 +80,7 @@ <h1 class="fw-bold mb-2">Contact Us</h1>
         <!-- reCAPTCHA v3 (replace with your site key) -->
         <script defer src="https://www.google.com/recaptcha/api.js?render=YOUR_RECAPTCHA_SITE_KEY"></script>
         <!-- Bootstrap Bundle -->
-        <script defer src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstrap.bundle.min.js"></script>
+        <script defer src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/js/bootstrap.bundle.min.js" integrity="sha384-JxF7+cBoFDZzwk+Sq9EzZlzJZG2cRlN6z9vEMdxvI5r/j7E+Wf5IqVWoJ/jA8xNv" crossorigin="anonymous"></script>
         <!-- Custom JS handling AJAX form submission -->
         <script src="AjaxForm.js"></script>
         <!-- GitHub Button script (optional) -->