Secure Content Server
A comprehensive server-side protection system.
Installation Requirements
-
PHP 7.4 or higher
-
SQLite extension enabled
-
Web server (Apache/Nginx)
-
Write permissions for database files
Setup Instructions
1. File Structure
secure_content/
??? index.html (Secure content viewer)
??? secure_server.php (Main server-side protection)
??? config.php (Configuration file)
??? .htaccess (Apache security rules)
??? data/
??? secure_sessions.db (SQLite database)
??? secret.key (Unique secret)
??? logs/ (Logs directory)
2. Configuration File (config.php)
<?php
// Security Configuration
define('SECRET_KEY_FILE', 'data/secret.key');
define('DATABASE_FILE', 'data/secure_sessions.db');
define('MAX_SESSION_TIME', 300); // 5 minutes default
define('RATE_LIMIT_SECONDS', 60); // 1 minute between token requests
define('MAX_SUSPICIOUS_ACTIVITIES', 3); // Auto-expire after 3 suspicious activities
define('CLEANUP_INTERVAL', 3600); // Cleanup every hour
define('LOG_RETENTION_HOURS', 24); // Keep logs for 24 hours
// CORS Settings (restrict in production)
define('ALLOWED_ORIGINS', '*'); // Change to your domain: 'https://yourdomain.com'
define('ALLOWED_METHODS', 'POST, GET, OPTIONS');
// IP Validation Settings
define('ENFORCE_IP_VALIDATION', false); // Set to true for strict IP checking
define('MOBILE_IP_TOLERANCE', true); // Allow IP changes for mobile devices
// Debug Settings
define('DEBUG_MODE', false); // Set to false in production
define('LOG_ALL_REQUESTS', true); // Log all API requests
// Database Settings
define('DB_ENCRYPTION', false); // Enable for sensitive data encryption
?>
3. Apache Security (.htaccess)
# Deny access to sensitive files
<Files "config.php">
Order Allow,Deny
Deny from all
</Files>
<Files "secret.key">
Order Allow,Deny
Deny from all
</Files>
<Files "*.db">
Order Allow,Deny
Deny from all
</Files>
# Security headers
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "no-referrer"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
# Disable server signature
ServerTokens Prod
4. Nginx Configuration (if using Nginx)
location ~ \.(db|key)$ {
deny all;
return 404;
}
location ~ config\.php$ {
deny all;
return 404;
}
location ~ /data/ {
deny all;
return 404;
}
# Security headers
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
API Endpoints
Generate Token
POST /secure_server.php
Content-Type: application/x-www-form-urlencoded
action=generate_token&time_limit=300&user_id=optional_user_id
Validate Token
POST /secure_server.php
Content-Type: application/x-www-form-urlencoded
action=validate_token&token=SESSION_TOKEN_HERE
Report Suspicious Activity
POST /secure_server.php
Content-Type: application/x-www-form-urlencoded
action=report_suspicious&token=SESSION_TOKEN&activity=screenshot_attempt&details=Print Screen key detected
Expire Session
POST /secure_server.php
Content-Type: application/x-www-form-urlencoded
action=expire_session&token=SESSION_TOKEN
Get Session Statistics
GET /secure_server.php?action=stats&token=SESSION_TOKEN
Cleanup Expired Sessions
POST /secure_server.php
Content-Type: application/x-www-form-urlencoded
action=cleanup
Security Features
Server-Side Protection
-
Token-based Authentication: Secure HMAC-signed tokens with expiration
-
Session Tracking: SQLite database tracks all sessions and activities
-
IP Address Monitoring: Optional IP validation (can be disabled for mobile)
-
Rate Limiting: Prevents token generation abuse
-
Suspicious Activity Logging: Tracks and responds to security threats
-
Auto-cleanup: Removes expired sessions and old logs
Database Schema
-- Sessions table
CREATE TABLE secure_sessions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
session_token VARCHAR(255) UNIQUE,
user_id VARCHAR(255),
ip_address VARCHAR(45),
user_agent TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
expires_at DATETIME,
access_count INTEGER DEFAULT 0,
last_access DATETIME DEFAULT CURRENT_TIMESTAMP,
is_expired BOOLEAN DEFAULT 0,
suspicious_activity TEXT
);
-- Access logs table
CREATE TABLE access_logs (
id INTEGER PRIMARY KEY AUTOINCREMENT,
session_token VARCHAR(255),
action VARCHAR(100),
details TEXT,
ip_address VARCHAR(45),
timestamp DATETIME DEFAULT CURRENT_TIMESTAMP
);
Deployment Steps
1. Upload Files
# Upload all files to your web server
scp -r secure_content/ user@yourserver:/var/www/html/
2. Set Permissions
# Create data directory
mkdir -p /var/www/html/secure_content/data/logs
# Set proper permissions
chmod 755 /var/www/html/secure_content/
chmod 644 /var/www/html/secure_content/*.php
chmod 644 /var/www/html/secure_content/*.html
chmod 700 /var/www/html/secure_content/data/
chmod 600 /var/www/html/secure_content/data/* 2>/dev/null || true
# Set ownership (adjust user/group as needed)
chown -R www-data:www-data /var/www/html/secure_content/
3. Test Installation
# Test token generation
curl -X POST https://yourdomain.com/secure_content/secure_server.php \
-d "action=generate_token&time_limit=300"
# Expected response:
# {"success":true,"token":"eyJ1c2VyX2lkIjoiYW5vbnltb3V...","expires_in":300}
4. Configure Cron Job for Cleanup
# Add to crontab (runs every hour)
0 curl -X POST https://yourdomain.com/secure_content/secure_server.php -d "action=cleanup" >/dev/null 2>&1
Production Security Checklist
Server Configuration
-
[ ] Change default secret key
-
[ ] Restrict CORS origins to your domain
-
[ ] Enable HTTPS only
-
[ ] Set proper file permissions (600 for sensitive files)
-
[ ] Configure firewall rules
-
[ ] Enable fail2ban or similar intrusion prevention
PHP Configuration
-
[ ] Disable `display_errors` in production
-
[ ] Set appropriate `memory_limit`
-
[ ] Configure proper `session` settings
-
[ ] Enable `opcache` for performance
Database Security
-
[ ] Regular database backups
-
[ ] Monitor database size and performance
-
[ ] Consider encryption for sensitive data
-
[ ] Set up log rotation
Monitoring
-
[ ] Set up access log monitoring
-
[ ] Monitor suspicious activity patterns
-
[ ] Track token generation rates
-
[ ] Monitor server resources
Troubleshooting
Common Issues
"Database initialization failed"
- Check PHP SQLite extension: php -m | grep sqlite
- Verify write permissions on data directory
- Check PHP error logs
"Token generation failed"
- Verify secret key file permissions
- Check database write permissions
- Review PHP error logs
"Rate limit exceeded"
- Wait 60 seconds between requests
- Check if rate limit files are being created
- Adjust RATE_LIMIT_SECONDS in config
Client-server communication fails
- Verify CORS settings
- Check network connectivity
- Review browser console for errors
- Confirm server endpoint URL
Debug Mode
Enable debug mode in config.php for detailed logging:
define('DEBUG_MODE', true);
define('LOG_ALL_REQUESTS', true);
Log Locations
-
PHP error log: `/var/log/php/error.log` (varies by system)
-
Apache error log: `/var/log/apache2/error.log`
-
Application logs: `data/logs/` directory
Advanced Configuration
Custom Time Limits
// Client-side: 10 minutes
const secureViewer = new SecureContentViewer(10 60 1000, 'secure_server.php');
// Server-side: Custom limits per user
$timeLimit = ($userId === 'premium_user') ? 1800 : 300; // 30 min vs 5 min
IP Whitelist/Blacklist
// In secure_server.php, add IP filtering
$allowedIPs = ['192.168.1.100', '10.0.0.50'];
$clientIP = $_SERVER['REMOTE_ADDR'];
if (!in_array($clientIP, $allowedIPs)) {
http_response_code(403);
echo json_encode(['error' => 'Access denied']);
exit;
}
Custom Suspicious Activity Rules
// Client-side: Custom detection
secureViewer.reportSuspiciousActivity('custom_event', 'User performed restricted action');
Integration with Existing Authentication
// Validate existing user session before generating token
session_start();
if (!isset($_SESSION['authenticated_user'])) {
http_response_code(401);
echo json_encode(['error' => 'Authentication required']);
exit;
}
$userId = $_SESSION['user_id'];
$token = $manager->generateSessionToken($userId, $timeLimit);
Performance Optimization
Database Optimization
-
Add indexes for frequently queried columns
-
Implement connection pooling for high traffic
-
Consider moving to MySQL/PostgreSQL for large deployments
Caching
-
Implement Redis/Memcached for session data
-
Cache validation results for short periods
-
Use CDN for static assets
Load Balancing
-
Share secret key across multiple servers
-
Use centralized database for sessions
-
Implement sticky sessions if needed
Compliance and Legal
GDPR Considerations
-
Log only necessary data
-
Implement data retention policies
-
Provide data deletion capabilities
-
Document data processing activities
CCPA Compliance
-
Allow users to request data deletion
-
Provide transparency about data collection
-
Implement opt-out mechanisms
Support and Maintenance
Regular Tasks
-
Monitor log file sizes
-
Review suspicious activity reports
-
Update secret keys periodically
-
Test backup and recovery procedures
-
Update PHP and server software
Security Updates
-
Keep PHP version updated
-
Monitor security advisories
-
Review and update security headers
-
Audit access logs regularly
Download
Files
Install with Composer
LICENSE
index.html
If you know an application of this package, send a message to the author to add a link here.
