Cacher is the code snippet organizer for pro developers

/*

HTTPS no Domain
Rate limiting
PDO Prepared statements
# Hash sensitive data
# Check the ORIGIN header
Check the REFERER header
  If the Origin header is not present, verify the hostname in the 
  Referer header matches the site's origin.
  Checking the HTTP_REFERER is also quite simple in PHP with $_SERVER['HTTP_REFERER'].
# Generate CSRF tokens (Cross-site request forgery)
Validate user input.
Never trust user input


*/

// Password Hash

// Hashing:
password_hash(userInput,PASSWORD_DEFAULT);

// Verification:
 password_verify( userInput, hashedPassword);
 


// #. Check the ORIGIN header

header('Content-Type: application/json');

if (isset($_SERVER['HTTP_ORIGIN'])) {
    $address = 'http://' . $_SERVER['SERVER_NAME'];
    if (strpos($address, $_SERVER['HTTP_ORIGIN']) !== 0) {
        exit(json_encode([
            'error' => 'Invalid Origin header: ' . $_SERVER['HTTP_ORIGIN']
        ]));
    }
} else {
    exit(json_encode(['error' => 'No Origin header']));
}

// #. Generate CSRF tokens (Cross-site request forgery)

  // GENERATE TOKEN
  
session_start();
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

// Adicionar meta as views 
  
<meta name="csrf-token" content="<?= $_SESSION['csrf_token'] ?>">
  
// Setup jQuery ajax calls to include this token :
  
$.ajaxSetup({
    headers : {
        'CsrfToken': $('meta[name="csrf-token"]').attr('content')
    }
});

// Server-side check your AJAX requests :

session_start();
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

header('Content-Type: application/json');

$headers = apache_request_headers();
if (isset($headers['CsrfToken'])) {
    if ($headers['CsrfToken'] !== $_SESSION['csrf_token']) {
        exit(json_encode(['error' => 'Wrong CSRF token.']));
    }
} else {
    exit(json_encode(['error' => 'No CSRF token.']));
}