Secure website with a registration, sign in, session management, and CRUD controls. No framework was used.
Used PHP Data Objects (PDO) for securely accessing a database in PHP (MySQL database included).
Used CSS Flexbox for the responsive design.
All the scripts are successfully validated with Markup Validation Service.
Built with security in mind. The following attacks are prevented in the code:
- sign in brute force,
- session fixation,
- SQL injection,
- cross-site scripting (XSS),
- cross-site request forgery (CSRF),
- etc.
And, many more attacks are prevented through hardening.
Tested on XAMPP for Windows v7.4.3 (64-bit) with Chrome v104.0.5112.102 (64-bit) and Firefox v104.0 (64-bit).
Made for educational purposes. I hope it will help!
Import \db\secure_website.sql to your database server.
Copy all the content from \src\ to your server's web root directory (e.g. to \xampp\htdocs\ on XAMPP).
Change the database settings inside \src\php\config.ini as necessary.
Check the sign in credentials here.
Navigate to the website with your preferred web browser.
On web servers other than XAMPP (Apache) you might need to load Multibyte String librabry in PHP.
In XAMPP it is as simple as uncommenting extension=mbstring in php.ini.
From your Apache directory, open \conf\httpd.conf:
Disable HTTP TRACE method. Navigate to Supplemental configuration section and add new configuration TraceEnable Off.
Prevent directory listing. Navigate to DocumentRoot section and remove Indexes from Options Indexes FollowSymLinks Includes ExecCGI.
Prevent clickjacking attacks. Navigate to Supplemental configuration section and add new configuration Header always set X-Frame-Options "DENY".
Set Content Security Policy (CSP). The following configuration will only allow you to load resources from your own domain. Navigate to Supplemental configuration section and add new configuration Header always set Content-Security-Policy "default-src 'self'". Search the Internet for more Content Security Policy options. Check CSP validator here.
Block MIME sniffing. Navigate to Supplemental configuration section and add new configuration Header always set X-Content-Type-Options "nosniff".
Enforce cross-site scripting (XSS) filter. Navigate to Supplemental configuration section and add new configuration Header always set X-XSS-Protection "1; mode=block".
Prevent cross-site request forgery. The following configuration will not allow request from other websites (i.e. cross-site request). Navigate to Supplemental configuration section and add new configurations Header always set Access-Control-Allow-Origin "https://securewebsite.com" - where https://securewebsite.com is your own domain name.
Set rate limiting. This is more of a denial-of-service (DoS) protection. Comment out mod_ratelimit.so extension, and add the follow code to the end of the file (this is speed in KiB/s, not number of requests; this will also affect the page load speed):
<Location />
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 1024
</Location>
From your Apache directory, open \conf\extra\httpd-autoindex.conf:
Prevent '/icons/' directory listing. Comment out Alias /icons/ "C:/xampp/apache/icons/".
From your Apache directory, open \conf\extra\httpd-default.conf:
Prevent version disclosure. Set ServerTokens to Prod and ServerSignature to Off.
Mitigate Slow Loris and other DoS attacks. Lower Timeout to 60.
From your Apache directory, open \conf\extra\httpd-info.conf:
Disable '/server-status' page. Comment out entire <Location /server-status> element.
From your PHP directory, open php.ini:
Prevent version disclosure. Set expose_php to Off.
Prevent display errors information disclosure. Set both display_errors and display_startup_errors to Off.
Set the correct server's timezone. Set both instances of date.timezone to your timezone. Search the Internet for a list of supported timezones in PHP.
Set the session cookie's name. Set session.name to your own desired value. In addition to this website, it is also set here.
Set the session cookie's lifetime. Set session.cookie_lifetime to your own desired value. In addition to this website, it is also set here.
Set the session cookie's HttpOnly flag. The following configuration will not allow client side scripts to access the session cookie. Set session.cookie_httponly to 1. In addition to this website, it is also set here.
Use strict session mode. Set session.use_strict_mode to 1.
Disable file uploads. Do the following only if your website does not utilize file uploads. Set file_uploads to Off.
Prevent remote file inclusion. Set allow_url_fopen to Off.
Disable dangerous PHP functions. Set disable_functions to eval;exec;shell_exec;curl_exec;passthru;system;proc_open;popen. Search the Internet for additional dangerous PHP functions.
Find out how to create an SSL/TLS certificate here.
Figure 1 - Home Page
Figure 2 - Registration
Figure 3 - Users Table
Figure 4 - Responsive Design