-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecurity.php
More file actions
55 lines (49 loc) · 1.5 KB
/
security.php
File metadata and controls
55 lines (49 loc) · 1.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<?php
if (session_status() === PHP_SESSION_NONE) {
session_start();
}
// 1. Browser UA check
$user_agent = $_SERVER['HTTP_USER_AGENT'] ?? '';
$allowed_browsers = ['Chrome', 'Firefox', 'Safari', 'Edge', 'Opera', 'MSIE', 'Trident', 'Mozilla'];
$is_browser = false;
foreach ($allowed_browsers as $b) {
if (stripos($user_agent, $b) !== false) {
$is_browser = true;
break;
}
}
// 2. Referer check (optional, can be relaxed if needed)
$referer_ok = true;
if (isset($_SERVER['HTTP_REFERER'])) {
$referer = $_SERVER['HTTP_REFERER'];
$allowed_sources = ['awi.cuhk.edu.cn', '10.26.4.101'];
$referer_ok = false;
foreach ($allowed_sources as $src) {
if (strpos($referer, $src) !== false) {
$referer_ok = true;
break;
}
}
}
// 3. Check if JS cookie is set
$js_cookie_set = isset($_COOKIE['js_check']) && $_COOKIE['js_check'] === '1';
// === Non-browser access, immediate 403 ===
if (!$is_browser) {
http_response_code(403);
echo "Access denied. Please use a real web browser.";
exit;
}
// === Browser but cookie not set (first visit) → Set cookie, return 412 + JS reload ===
if (!$js_cookie_set) {
header("X-Protect: JS-Check");
http_response_code(412); // Precondition Failed
echo '<script>document.cookie="js_check=1; path=/"; window.location.reload();</script>';
exit;
}
// === Invalid referer, also denied ===
if (!$referer_ok) {
http_response_code(403);
echo "Access denied. Invalid referer.";
exit;
}
?>