# Security Changes Made ## Overview This document records all security hardening applied before cPanel production deployment. --- ## 1. Critical — Removed `/dev-login` Backdoor **File:** `routes/web.php` Removed a route that allowed anyone to log in as the first user in the database with no password, no token, and no authentication whatsoever. ```php // REMOVED — this was a complete authentication bypass Route::get('/dev-login', function () { auth()->login(\App\Models\User::first()); return redirect()->route('admin.dashboard'); }); ``` **Risk if left in:** Any visitor to `/dev-login` would have had full admin access. --- ## 2. Rate Limiting on Login and Contact Routes **File:** `routes/web.php` Added throttle middleware to prevent brute-force attacks on login and spam abuse on the contact form. | Route | Limit | |-------|-------| | `/login` | 5 requests per minute | | `/contact` | 10 requests per minute | ```php Route::livewire('/login', 'pages::admin.login')->middleware('throttle:5,1')->name('login'); Route::livewire('/contact', 'pages::contact')->middleware('throttle:10,1')->name('contact'); ``` --- ## 3. Security Headers Middleware **File:** `app/Http/Middleware/SecurityHeaders.php` *(new file)* Created a global middleware that injects security headers on every response. | Header | Value | Purpose | |--------|-------|---------| | `X-Frame-Options` | `DENY` | Prevents clickjacking via iframes | | `X-Content-Type-Options` | `nosniff` | Prevents MIME-type sniffing attacks | | `X-XSS-Protection` | `1; mode=block` | Legacy XSS browser filter | | `Referrer-Policy` | `strict-origin-when-cross-origin` | Controls referrer info leakage | | `Permissions-Policy` | `camera=(), microphone=(), geolocation=(), payment=()` | Blocks browser feature abuse | | `Strict-Transport-Security` | `max-age=31536000; includeSubDomains` | Forces HTTPS for 1 year | | `X-Powered-By` | *(removed)* | Hides PHP version from attackers | | `Server` | *(removed)* | Hides server software from attackers | Registered in the global middleware stack in `app/Http/Kernel.php`. --- ## 4. TrustHosts Middleware Enabled **File:** `app/Http/Kernel.php` Uncommented `TrustHosts` middleware to prevent host-header injection attacks. It reads the trusted host from `APP_URL` in `.env`. ```php // Before // \App\Http\Middleware\TrustHosts::class, // After \App\Http\Middleware\TrustHosts::class, ``` --- ## 5. Session Encryption Enabled **File:** `config/session.php` Session data is now encrypted at rest. Configurable via `.env`. ```php // Before 'encrypt' => false, // After 'encrypt' => env('SESSION_ENCRYPT', true), ``` Set in `.env.production`: ``` SESSION_ENCRYPT=true SESSION_SECURE_COOKIE=true SESSION_SAME_SITE=lax SESSION_LIFETIME=60 ``` --- ## 6. Hardened `public/.htaccess` **File:** `public/.htaccess` Added rules on top of Laravel's default `.htaccess`: - **Block sensitive files** — denies direct HTTP access to `.env`, `.git`, `composer.json`, `composer.lock`, `package.json`, `phpunit.xml`, `artisan`, and all hidden files starting with `.` - **Block PHP execution in storage/** — prevents uploaded PHP files from being executed - **HTTP security headers** — duplicate of PHP headers as a server-level fallback via `mod_headers` - **Server signature off** — suppresses Apache version from error pages --- ## 7. Root `.htaccess` Created **File:** `.htaccess` *(new file, in app root)* Denies direct web access to the application root. The web server's Document Root must be pointed to the `/public` subdirectory on cPanel. This file acts as a safety net if misconfigured. --- ## 8. CORS Locked Down **File:** `config/cors.php` Replaced the wildcard origin with the application URL from `.env`. ```php // Before 'allowed_origins' => ['*'], // After 'allowed_origins' => [env('APP_URL', '')], ``` --- ## 9. Production `.env` Template **File:** `.env.production` *(new file)* A ready-to-fill production environment template with secure defaults: - `APP_ENV=production` - `APP_DEBUG=false` — prevents stack traces and config leaks - `LOG_LEVEL=error` — only logs errors, not debug info - `SESSION_ENCRYPT=true` - `SESSION_SECURE_COOKIE=true` - Mail configured for cPanel SMTP > **Never commit `.env` or `.env.production` to Git if it contains real credentials.** --- ## cPanel Deployment Checklist - [ ] Set domain Document Root to `/home/youruser/appfolder/public` - [ ] Upload all files **except** `node_modules/` and `.git/` - [ ] Copy `.env.production` to `.env` and fill in all real values - [ ] Run `php artisan key:generate` to generate `APP_KEY` - [ ] Run `php artisan migrate --force` - [ ] Run `php artisan config:cache && php artisan route:cache && php artisan view:cache` - [ ] Set file permissions: ```bash chmod 600 .env chmod -R 755 storage bootstrap/cache ``` - [ ] **Verify:** Visit `https://yourdomain.com/.env` — must return **403**, never file contents - [ ] **Verify:** Visit `https://yourdomain.com/dev-login` — must return **404** - [ ] Check response headers include `X-Frame-Options` and `X-Content-Type-Options` --- ## Files Changed | File | Type | Change | |------|------|--------| | `routes/web.php` | Modified | Removed `/dev-login`, added throttle to login & contact | | `app/Http/Kernel.php` | Modified | Enabled `TrustHosts`, registered `SecurityHeaders` | | `config/session.php` | Modified | Session encryption on by default | | `config/cors.php` | Modified | CORS origin locked to `APP_URL` | | `public/.htaccess` | Modified | Blocked sensitive files, added security headers | | `app/Http/Middleware/SecurityHeaders.php` | New | HTTP security headers middleware | | `.htaccess` | New | Root-level access denial | | `.env.production` | New | Production environment template |