Application Scope
Development progress & changelog
Platform Apps
11 applications — economies, history, maps, AI, crypto, sports, music, movies, religion, food & more
Admin settings to enable/disable 2FA site-wide and require 2FA for admin accounts. Includes live adoption stats showing users and admins with 2FA enabled.
robots.txt dynamically generated to block scrapers from resource and download folders. Admin toggle to enable/disable scraper protection.
Admin GET Action Protection
All destructive GET-based admin actions (delete/toggle for announcements, ads, resources, paths, lessons, classrooms, API keys) now require a CSRF token and cast IDs to integer to prevent injection.
Learning API Input Hardening
All 7 input handlers in api/learn.php now use InputSanitizer: enrollment, lesson completion, bookmarks, and path import. Slug validation, score range enforcement, and lesson content sanitization added.
Classroom API Input Hardening
All 12 input handlers in api/classroom.php now use InputSanitizer: class creation, assignments, discussions, grading, rubrics, bulk import, and moderation. Array type checks added for nested inputs.
Input Sanitization Library
New InputSanitizer class with 10 methods: text, richText, positiveInt, float, enum, email, url, slug, csvList, and json. Strips dangerous HTML (scripts, iframes, event handlers, JS URIs) while preserving safe formatting tags.
CSRF Protection on Admin Panel
All admin POST forms (settings, announcements, ads, resources, learning paths, lessons) now include CSRF tokens. All destructive GET actions (delete, toggle) require a valid token parameter. Uses Auth::generateCsrfToken/verifyCsrfToken with 2-hour expiry.
Admin Auth Hardening
Replaced hardcoded admin credentials with the Auth system. Admin panel now requires login via the users table with role-based access control — only admin and superadmin roles are permitted. Includes full Auth features: rate limiting, account lockout, and session management.
RateLimiter and ApiMiddleware classes enforce per-key hourly rate limits with X-RateLimit headers and 429 responses.
API key requests now require authenticated users. Form pre-fills name and email from user profile. Non-logged-in users see a login prompt.