{"id":13404965,"url":"https://github.com/ivan-sincek/secure-website","last_synced_at":"2025-04-15T12:31:38.218Z","repository":{"id":107019474,"uuid":"170863037","full_name":"ivan-sincek/secure-website","owner":"ivan-sincek","description":"Secure website with a registration, sign in, session management, and CRUD controls.","archived":false,"fork":false,"pushed_at":"2023-04-25T19:24:46.000Z","size":1715,"stargazers_count":21,"open_issues_count":0,"forks_count":6,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-10-17T16:21:27.970Z","etag":null,"topics":["apache","crud-controls","css-flexbox","defensive-security","ethical-hacking","hardening","offensive-security","penetration-testing","php","php-data-object","red-team-engagement","registration","security","session-management","sign-in","ssl-certificate","tls-certificate","website"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ivan-sincek.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-02-15T12:39:49.000Z","updated_at":"2024-08-12T19:45:50.000Z","dependencies_parsed_at":"2024-01-16T10:37:44.549Z","dependency_job_id":"158afcb4-be30-4e2c-8ea7-ded0aa30ae3e","html_url":"https://github.com/ivan-sincek/secure-website","commit_stats":{"total_commits":1,"total_committers":1,"mean_commits":1.0,"dds":0.0,"last_synced_commit":"4c60fa26335bd9d36fe6fc7602c25bd042cd6453"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fsecure-website","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fsecure-website/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fsecure-website/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ivan-sincek%2Fsecure-website/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ivan-sincek","download_url":"https://codeload.github.com/ivan-sincek/secure-website/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249072250,"owners_count":21208145,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache","crud-controls","css-flexbox","defensive-security","ethical-hacking","hardening","offensive-security","penetration-testing","php","php-data-object","red-team-engagement","registration","security","session-management","sign-in","ssl-certificate","tls-certificate","website"],"created_at":"2024-07-30T19:01:53.863Z","updated_at":"2025-04-15T12:31:37.829Z","avatar_url":"https://github.com/ivan-sincek.png","language":"PHP","readme":"# Secure Website\n\nSecure website with a registration, sign in, [session management](https://github.com/ivan-sincek/secure-website/blob/master/src/php/session.class.php), and CRUD controls. No framework was used.\n\nUsed [PHP Data Objects (PDO)](https://github.com/ivan-sincek/secure-website/blob/master/src/php/database.class.php) for securely accessing a database in PHP (MySQL database included).\n\nUsed [CSS Flexbox](https://github.com/ivan-sincek/secure-website/blob/master/src/css/main.css) for the responsive design.\n\nAll the scripts are successfully validated with [Markup Validation Service](https://validator.w3.org).\n\nBuilt with security in mind. The following attacks are prevented in the code:\n\n* sign in brute force,\n* session fixation,\n* SQL injection,\n* cross-site scripting (XSS),\n* [cross-site request forgery (CSRF)](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern),\n* etc.\n\nAnd, many more attacks are prevented through hardening.\n\nTested on XAMPP for Windows v7.4.3 (64-bit) with Chrome v104.0.5112.102 (64-bit) and Firefox v104.0 (64-bit).\n\nMade for educational purposes. I hope it will help!\n\n## How to Run\n\nImport [\\\\db\\\\secure_website.sql](https://github.com/ivan-sincek/secure-website/blob/master/db/secure_website.sql) to your database server.\n\nCopy all the content from [\\\\src\\\\](https://github.com/ivan-sincek/secure-website/tree/master/src) to your server's web root directory (e.g. to \\\\xampp\\\\htdocs\\\\ on XAMPP).\n\nChange the database settings inside [\\\\src\\\\php\\\\config.ini](https://github.com/ivan-sincek/secure-website/blob/master/src/php/config.ini) as necessary.\n\nCheck the sign in credentials [here](https://github.com/ivan-sincek/secure-website/blob/master/db/test_accounts.txt).\n\nNavigate to the website with your preferred web browser.\n\n---\n\nOn web servers other than XAMPP (Apache) you might need to load `Multibyte String` librabry in PHP.\n\nIn XAMPP it is as simple as uncommenting `extension=mbstring` in `php.ini`.\n\n## Apache Hardening\n\nFrom your Apache directory, open `\\conf\\httpd.conf`:\n\n**Disable HTTP TRACE method.** Navigate to `Supplemental configuration` section and add new configuration `TraceEnable Off`.\n\n**Prevent directory listing.** Navigate to `DocumentRoot` section and remove `Indexes` from `Options Indexes FollowSymLinks Includes ExecCGI`.\n\n**Prevent clickjacking attacks.** Navigate to `Supplemental configuration` section and add new configuration `Header always set X-Frame-Options \"DENY\"`.\n\n**Set Content Security Policy (CSP).** The following configuration will only allow you to load resources from your own domain. Navigate to `Supplemental configuration` section and add new configuration `Header always set Content-Security-Policy \"default-src 'self'\"`. Search the Internet for more Content Security Policy options. Check CSP validator [here](https://csp-evaluator.withgoogle.com).\n\n**Block MIME sniffing.** Navigate to `Supplemental configuration` section and add new configuration `Header always set X-Content-Type-Options \"nosniff\"`.\n\n**Enforce cross-site scripting (XSS) filter.** Navigate to `Supplemental configuration` section and add new configuration `Header always set X-XSS-Protection \"1; mode=block\"`.\n\n**Prevent cross-site request forgery.** The following configuration will not allow request from other websites (i.e. cross-site request). Navigate to `Supplemental configuration` section and add new configurations `Header always set Access-Control-Allow-Origin \"https://securewebsite.com\"` - where `https://securewebsite.com` is your own domain name.\n\n**Set rate limiting.** This is more of a denial-of-service (DoS) protection. Comment out `mod_ratelimit.so` extension, and add the follow code to the end of the file (this is speed in KiB/s, not number of requests; this will also affect the page load speed):\n\n```fundamental\n\u003cLocation /\u003e\n\tSetOutputFilter RATE_LIMIT\n\tSetEnv rate-limit 1024\n\u003c/Location\u003e\n```\n\n---\n\nFrom your Apache directory, open `\\conf\\extra\\httpd-autoindex.conf`:\n\n**Prevent '/icons/' directory listing.** Comment out `Alias /icons/ \"C:/xampp/apache/icons/\"`.\n\n---\n\nFrom your Apache directory, open `\\conf\\extra\\httpd-default.conf`:\n\n**Prevent version disclosure.** Set `ServerTokens` to `Prod` and `ServerSignature` to `Off`.\n\n**Mitigate Slow Loris and other DoS attacks.** Lower `Timeout` to `60`.\n\n---\n\nFrom your Apache directory, open `\\conf\\extra\\httpd-info.conf`:\n\n**Disable '/server-status' page.** Comment out entire `\u003cLocation /server-status\u003e` element.\n\n## PHP Hardening\n\nFrom your PHP directory, open `php.ini`:\n\n**Prevent version disclosure.** Set `expose_php` to `Off`.\n\n**Prevent display errors information disclosure.** Set both `display_errors` and `display_startup_errors` to `Off`.\n\n**Set the correct server's timezone.** Set both instances of `date.timezone` to your timezone. Search the Internet for a list of supported timezones in PHP.\n\n**Set the session cookie's name.** Set `session.name` to your own desired value. In addition to this website, it is also set [here](https://github.com/ivan-sincek/secure-website/blob/master/src/php/session.class.php).\n\n**Set the session cookie's lifetime.** Set `session.cookie_lifetime` to your own desired value. In addition to this website, it is also set [here](https://github.com/ivan-sincek/secure-website/blob/master/src/php/session.class.php).\n\n**Set the session cookie's HttpOnly flag.** The following configuration will not allow client side scripts to access the session cookie. Set `session.cookie_httponly` to `1`. In addition to this website, it is also set [here](https://github.com/ivan-sincek/secure-website/blob/master/src/php/session.class.php).\n\n**Use strict session mode.** Set `session.use_strict_mode` to `1`.\n\n**Disable file uploads.** Do the following only if your website does not utilize file uploads. Set `file_uploads` to `Off`.\n\n**Prevent remote file inclusion.** Set `allow_url_fopen` to `Off`.\n\n**Disable dangerous PHP functions.** Set `disable_functions` to `eval;exec;shell_exec;curl_exec;passthru;system;proc_open;popen`. Search the Internet for additional dangerous PHP functions.\n\n## SSL/TLS Certificate\n\nFind out how to create an SSL/TLS certificate [here](https://github.com/ivan-sincek/secure-website/tree/master/crt).\n\n## Images\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/secure-website/blob/master/img/home_page.jpg\" alt=\"Home Page\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 1 - Home Page\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/secure-website/blob/master/img/register.jpg\" alt=\"Registration\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 2 - Registration\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/secure-website/blob/master/img/users.jpg\" alt=\"Users Table\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 3 - Users Table\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\u003cimg src=\"https://github.com/ivan-sincek/secure-website/blob/master/img/responsive_design.jpg\" alt=\"Responsive Design\"\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003eFigure 4 - Responsive Design\u003c/p\u003e\n","funding_links":[],"categories":["PHP"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivan-sincek%2Fsecure-website","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fivan-sincek%2Fsecure-website","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fivan-sincek%2Fsecure-website/lists"}