🔒 Security Guide

PulseHub is built with security as a foundational concern.

Authentication

Passwords: bcrypt at cost factor 12 — never stored in plaintext
Sessions: HttpOnly, SameSite=Strict, use_strict_mode, regenerated on login
Constant-time comparison via password_verify() and hash_equals()

SQL Injection Prevention

Every query uses PDO prepared statements with EMULATE_PREPARES = false. User input can never be interpreted as SQL syntax.

XSS Prevention

All dynamic output escaped with e() → htmlspecialchars(ENT_QUOTES | ENT_HTML5, 'UTF-8').

CSRF Protection

SameSite=Strict cookies prevent cross-site requests. Login and installer forms include a _token hidden field.

Webhook Signature Verification

WhatsApp, Facebook, Instagram: HMAC-SHA256 with App Secret
Viber: HMAC-SHA256 with Auth Token
All use hash_equals() (constant-time)

Directory Access Controls

Sensitive directories (config/, app/, data/) are blocked from web access via .htaccess and nginx config.

Recommended Security Headers

<IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

Keeping PulseHub Secure

Keep PHP and MySQL updated
Use HTTPS everywhere
Rotate API keys periodically
Monitor cron logs
Regular backups of database and config/ directory

Authentication​

SQL Injection Prevention​

XSS Prevention​

CSRF Protection​

Webhook Signature Verification​

Directory Access Controls​

Recommended Security Headers​

Keeping PulseHub Secure​