<?php /** * @ASCOOS-NAME : Ascoos OS * @ASCOOS-VERSION : 26.0.0 * @ASCOOS-SUPPORT : [email protected] * @ASCOOS-BUGS : https://issues.ascoos.com * * @CASE-STUDY : security_header_authentication_management.php * @fileNo : ASCOOS-OS-CASESTUDY-SEC00102 * * @desc <English> Case Study: Advanced Security Header Management with CSP, CORS, SSL, and Authentication * @desc <Greek> Case Study: ????????? ?????????? Headers ????????? ?? CSP, CORS, SSL ??? ??????????????? * * @since PHP 8.2.0 */ declare(strict_types=1); use ASCOOS\OS\Kernel\{ HTTPHeaders\THTTPHeaderHandler, CSP\TCSPHandler, Headers\CORS\TCORSHeaderHandler, Headers\Security\TSecurityHeaderHandler, Headers\Custom\TCustomHeaderHandler, Apache\TApacheHandler, Apache\THTAccessHandler, Logger\TLoggerHandler, Files\TFilesHandler, Arrays\Events\TEventHandler, Auth\TAuthenticationHandler }; global $AOS_LOGS_PATH, $AOS_TMP_DATA_PATH; // <English> Disable error display for production to ensure a secure environment // <Greek> ?????????????? ????????? ????????? ??? ???????? ??? ?? ?????????? ???????? ????????????? if (RELEASE_MODE > RELEASE_MODE_DEBUG) { ini_set('display_errors', 'Off'); error_reporting(0); } // <English> Configuration of settings for CSP, CORS, Security, and Custom Headers // <Greek> ??????? ????????? ??? CSP, CORS, Security ??? Custom Headers $cspRules = [ 'base-uri' => "'self'", 'default-src' => "'self'", 'script-src' => "'self' 'unsafe-inline' https://test.loc", 'style-src' => "'self' 'unsafe-inline' https://test.loc", 'img-src' => "'self' data: https://test.loc", 'connect-src' => "'self' https://api.test.loc", 'font-src' => "'self' https://fonts.test.loc", 'object-src' => "'none'", 'frame-ancestors' => "'self'", 'form-action' => "'self'", 'report-uri' => 'https://report.test.loc/csp-report' ]; $corsRules = [ 'Access-Control-Allow-Origin' => 'https://trusted.domain.com', 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS', 'Access-Control-Allow-Headers' => 'Content-Type, Authorization' ]; $securityRules = [ 'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains', 'X-Content-Type-Options' => 'nosniff', 'X-Frame-Options' => 'DENY' ]; $customRules = [ 'X-Custom-Header' => 'AscoosOS-Web5' ]; // <English> Settings for logging, files, and events to manage logs, reports, and event triggers // <Greek> ????????? ??? logging, ?????? ??? ???????? ??? ?? ?????????? logs, ???????? ??? ???????? ????????? $properties = [ 'logs' => [ 'useLogger' => true, 'dir' => $AOS_LOGS_PATH . '/', 'file' => 'security_headers.log' ], 'file' => [ 'dataDir' => $AOS_TMP_DATA_PATH . '/reports/', 'quotaSize' => 2000000 // 2MB ], 'events' => [ 'allowedTargets' => ['auth', 'security'], 'allowedEventTypes' => ['auth.success', 'auth.failed', 'security.header_applied'] ] ]; // <English> Creating handlers for CSP, CORS, Security, Custom Headers, Apache, logging, files, events, and authentication // <Greek> ?????????? handlers ??? CSP, CORS, Security, Custom Headers, Apache, logging, ??????, ???????? ??? ??????????????? $cspHandler = new TCSPHandler($cspRules, ['sendMethod' => TCSPHandler::CSP_SEND_METHOD_HEADER]); $corsHandler = new TCORSHeaderHandler($corsRules, ['sendMethod' => TCORSHeaderHandler::CORS_SEND_METHOD_HEADER]); $securityHandler = new TSecurityHeaderHandler($securityRules, ['sendMethod' => TSecurityHeaderHandler::SECURITY_SEND_METHOD_HEADER]); $customHandler = new TCustomHeaderHandler($customRules, ['sendMethod' => TCustomHeaderHandler::CUSTOM_SEND_METHOD_HEADER]); $httpHeaderHandler = new THTTPHeaderHandler(); $apacheHandler = TApacheHandler::getInstance([], $properties); $htaccessHandler = new THTAccessHandler(['filePath' => '.htaccess', 'mode' => 'a+']); $logger = new TLoggerHandler($properties['logs']); $filesHandler = new TFilesHandler([], $properties['file']); $eventHandler = new TEventHandler([], $properties); $authHandler = new TAuthenticationHandler(); // <English> Register authentication and security events to handle success, failure, and header application // <Greek> ??????? ????????? ???????????????? ??? ????????? ??? ?? ?????????? ?????????, ????????? ??? ????????? headers $eventHandler->register('auth', 'auth.success', function ($credentials) use ($logger) { // <English> Log successful authentication with user credentials // <Greek> ????????? ???????????? ???????????????? ?? ?? ?????????????? ??? ?????? $logger->log("Authentication succeeded for user: " . json_encode($credentials), $logger::DEBUG_LEVEL_INFO); }); $eventHandler->register('auth', 'auth.failed', function ($credentials, $errors) use ($logger) { // <English> Log failed authentication with error details // <Greek> ????????? ???????????? ???????????????? ?? ???????????? ????????? $logger->log("Authentication failed: " . json_encode($errors), $logger::DEBUG_LEVEL_ERROR); }); $eventHandler->register('security', 'security.header_applied', function ($headers) use ($logger) { // <English> Log applied security headers for monitoring // <Greek> ????????? ???????????? headers ????????? ??? ????????????? $logger->log("Security headers applied: " . json_encode($headers), $logger::DEBUG_LEVEL_INFO); }); $authHandler->setEventHandler($eventHandler); // <English> Adding handlers to THTTPHeaderHandler for centralized header management // <Greek> ???????? handlers ??? THTTPHeaderHandler ??? ???????? ?????????? headers $httpHeaderHandler->addHandler('CSP', $cspHandler); $httpHeaderHandler->addHandler('CORS', $corsHandler); $httpHeaderHandler->addHandler('Security', $securityHandler); $httpHeaderHandler->addHandler('Custom', $customHandler); // <English> Authenticate user before applying headers to ensure secure access // <Greek> ??????????????? ?????? ???? ??? ???????? headers ??? ?? ?????????? ???????? ????????? $credentials = ['username' => 'admin', 'password' => 'pass']; if (!$authHandler->authenticate($credentials)) { // <English> Log authentication failure and trigger event for failure // <Greek> ????????? ????????? ???????????????? ??? ??????? ????????? ??? ???????? $logger->log("Authentication failed for user: " . $credentials['username'], $logger::DEBUG_LEVEL_ERROR); $errors = $authHandler->getErrors(); $eventHandler->trigger('auth', 'auth.failed', $credentials, $errors); exit; // <English> Stop execution if authentication fails // <Greek> ??????? ????????? ?? ? ??????????????? ???????? } $eventHandler->trigger('auth', 'auth.success', $credentials); // <English> SSL/TLS certificate check to ensure secure connections // <Greek> ??????? SSL/TLS ?????????????? ??? ?? ?????????? ??????? ????????? $sslStatus = $apacheHandler->checkSSLCertificate('test.loc'); if ($sslStatus['is_expired']) { // <English> Log SSL certificate expiration and update CSP to enforce secure requests // <Greek> ????????? ????? ?????????????? SSL ??? ????????? CSP ??? ??????? ??????? ????????? $logger->log("SSL certificate expired for test.loc", $logger::DEBUG_LEVEL_ERROR); $cspRules['upgrade-insecure-requests'] = ''; $cspHandler->setRules($cspRules); } // <English> CSP configuration in .htaccess for server-level security // <Greek> ??????? CSP ??? .htaccess ??? ???????? ?? ??????? server $htaccessHandler->setCSPRules($cspRules); $htaccessHandler->addCSP(); // <English> CORS configuration in .htaccess for cross-origin resource sharing // <Greek> ??????? CORS ??? .htaccess ??? ????? ????? ????? cross-origin $htaccessHandler->configureCORS('https://trusted.domain.com'); // <English> Sending headers via HTTP and triggering event for header application // <Greek> ???????? headers ???? HTTP ??? ??????? ????????? ??? ??? ???????? headers $httpHeaderHandler->sendHeaders(); $eventHandler->trigger('security', 'security.header_applied', $httpHeaderHandler->getAllHeaders()); // <English> Logging headers to a log file for monitoring and debugging // <Greek> ????????? headers ?? ?????? log ??? ????????????? ??? ????????????? $logger->log("Headers sent: " . json_encode($httpHeaderHandler->getAllHeaders(), JSON_PRETTY_PRINT), $logger::DEBUG_LEVEL_INFO); // <English> Create report with SSL status, header rules, and authentication details // <Greek> ?????????? ???????? ?? ????????? SSL, ??????? headers ??? ???????????? ???????????????? $report = [ 'ssl_status' => $sslStatus, 'csp_rules' => $cspRules, 'cors_rules' => $corsRules, 'security_rules' => $securityRules, 'custom_rules' => $customRules, 'auth_status' => [ 'user' => $credentials['username'], 'success' => true, 'errors' => [] ] ]; $reportFolder = $properties['file']['dataDir']; $filesHandler->createFolder($reportFolder); $reportFile = $reportFolder . '/security_report_' . date('Ymd_His') . '.json'; $filesHandler->writeToFileWithCheck(json_encode($report, JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE), $reportFile); $logger->log("Security report saved to $reportFile", $logger::DEBUG_LEVEL_INFO); // <English> Closing files and releasing resources to optimize memory usage // <Greek> ???????? ??????? ??? ???????????? ????? ??? ?????????????? ?????? ?????? $htaccessHandler->close(); $cspHandler->Free($cspHandler); $corsHandler->Free($corsHandler); $securityHandler->Free($securityHandler); $customHandler->Free($customHandler); $httpHeaderHandler->Free($httpHeaderHandler); $apacheHandler->Free($apacheHandler); $logger->Free($logger); $filesHandler->Free($filesHandler); $eventHandler->Free($eventHandler); $authHandler->Free($authHandler); ?>
|
Download
