PHP WebShell
Текущая директория: /var/www/bitcardoApp/config
Просмотр файла: bootstrap.php
<?php
// config/bootstrap.php
// Include THIS file first in any entry script or controller.
/**
* Order matters:
* 1) Load serv_config.php (env flags + cookie constants)
* 2) Send security headers (before any output)
* 3) Configure & start hardened session (uses constants from serv_config.php)
* 4) Load db_config.php, settings.php
* 5) Ensure CSRF token
* 6) Optional: remember-me autologin
*/
// 0) Optional: start output buffering to avoid "headers already sent" during migration
if (!headers_sent()) { ob_start(); }
// 1) Load service/env config FIRST (for cookie domain/path/flags)
require_once __DIR__ . '/serv_config.php'; // defines APP_ENV, OTP_* flags, SESSION_* constants, SMTP_*, etc.
// 2) Send security headers ONCE (before any output)
if (!headers_sent()) {
header('X-Content-Type-Options: nosniff');
header('Referrer-Policy: strict-origin-when-cross-origin');
header('X-Frame-Options: SAMEORIGIN');
// Non-breaking CSP; can be tightened later as you whitelist assets
header("Content-Security-Policy: default-src 'self' https: 'unsafe-inline' 'unsafe-eval' data: blob;");
}
// 3) Secure session settings BEFORE session_start()
if (session_status() !== PHP_SESSION_ACTIVE) {
// Hardened INI flags
ini_set('session.use_strict_mode', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_secure', '1'); // HTTPS only
// Some PHPs still read this; main control comes from session_set_cookie_params below
@ini_set('session.cookie_samesite', defined('SESSION_SAMESITE') ? SESSION_SAMESITE : 'Lax');
// Cookie params from constants (defined in serv_config.php)
$cookieParams = [
'lifetime' => 0, // session cookie
'path' => defined('SESSION_COOKIE_PATH') ? SESSION_COOKIE_PATH : '/',
'domain' => defined('SESSION_COOKIE_DOMAIN') ? SESSION_COOKIE_DOMAIN : '', // exact host
'secure' => defined('SESSION_SECURE') ? SESSION_SECURE : (!empty($_SERVER['HTTPS'])),
'httponly' => defined('SESSION_HTTPONLY') ? SESSION_HTTPONLY : true,
'samesite' => defined('SESSION_SAMESITE') ? SESSION_SAMESITE : 'Lax',
];
session_set_cookie_params($cookieParams);
session_start();
}
// 4) Load DB + feature settings
require_once __DIR__ . '/db_config.php'; // provides $conn
// Settings are optional; include if present (get_settings(), is_enabled(), etc.)
$__settings = __DIR__ . '/settings.php';
if (file_exists($__settings)) {
require_once $__settings;
}
unset($__settings);
// 5) Ensure CSRF token exists (loads helper if available)
$__csrf = __DIR__ . '/../lib/csrf.php';
if (file_exists($__csrf)) {
require_once $__csrf;
if (function_exists('csrf_ensure')) {
csrf_ensure(); // sets $_SESSION['csrf'] if missing
} else {
// Minimal fallback
if (empty($_SESSION['csrf'])) {
$_SESSION['csrf'] = bin2hex(random_bytes(32));
}
}
} else {
// Minimal fallback if helper missing
if (empty($_SESSION['csrf'])) {
$_SESSION['csrf'] = bin2hex(random_bytes(32));
}
}
unset($__csrf);
// 6) Optional remember-me auto-login (no-op if lib missing)
$__lib_session = __DIR__ . '/../lib/session.php';
if (file_exists($__lib_session)) {
require_once $__lib_session;
if (function_exists('session_try_autologin')) {
// Will only do anything if remember-me cookie is present and valid.
session_try_autologin($conn);
}
}
unset($__lib_session);
// Done. Callers can now safely use: $conn, get_settings()/is_enabled(), $_SESSION['csrf'], etc.
Выполнить команду
Для локальной разработки. Не используйте в интернете!