Sky Host

📌 Project Name

Alflammem (الفلهم)

🌐 Domain

app.alflammem.com

⚙️ Framework

Laravel 11 + Livewire 3.6

🗄️ Database

MySQL 8.0 - alflammem_db

🖥️ Server

LiteSpeed - cPanel

💾 Hosting Type

SHARED HOSTING (Not VPS - No Root Access)

🔑 SSH Access

Jailed Shell (Limited)

📦 Project Size

189 MB

SCAN SUMMARY

🔴 HIGH

🟠 MEDIUM

🟡 LOW

📊 TOTAL

VULNERABILITIES FOUND

#1 🔴 Rate Limiting Disabled on API

HIGH

No throttling on login, OTP verification, or password reset endpoints.

$ grep -r "throttle" routes/ app/Http/Kernel.php 2>/dev/null (No results - EMPTY)

⚠️ Impact: Attackers can brute-force OTP codes and login credentials indefinitely.

💡 Fix: Add ->middleware('throttle:5,1') to all auth-sensitive routes.

api/login api/verify-otp api/resend-otp api/forgot/password

#2 🔴 Public API Endpoints Without Authentication

HIGH

Several API endpoints are publicly accessible without any token.

Route::get('/delete/account', [SettingsController::class, 'deleteAccount']); Route::post('/contact', [SettingsController::class, 'contact']); Route::get('/settings', [SettingsController::class, 'index']); Route::get('/countries', [CountryController::class, 'index']); Route::get('/banners', [SettingsController::class, 'banners']); // ... and more

⚠️ Impact: Account deletion endpoint is accessible (though now has token check internally). Contact form can be spammed.

💡 Fix: Wrap public endpoints with auth:sanctum middleware where appropriate. Apply rate limiting on contact form.

api/delete/account api/contact api/settings

#3 🟠 Session Cookie SameSite = Lax

MEDIUM

Session cookies use SameSite=Lax instead of Strict.

'same_site' => env('SESSION_SAME_SITE', 'lax')

⚠️ Impact: Vulnerable to CSRF attacks from external sites. Lax allows cookies on top-level navigation.

💡 Fix: Set SESSION_SAME_SITE=strict in .env file.

config/session.php CSRF

#4 🟠 Session Secure Cookie Undefined

MEDIUM

SESSION_SECURE_COOKIE is not explicitly set in .env.

'same_site' => env('SESSION_SAME_SITE', 'lax')

⚠️ Impact: Cookies could potentially be sent over HTTP (non-SSL) connections.

💡 Fix: Add SESSION_SECURE_COOKIE=true to .env file.

config/session.php HTTPS

#5 🟠 OPay API Keys in .env File (Sandbox Mode)

MEDIUM

Payment gateway keys are stored in .env. Currently sandbox, but production keys would be exposed if .env leaks.

OPAY_PUBLIC_KEY=OPAYPUB17502525043920.2484651191660533 OPAY_SECRET_KEY=OPAYPRV17502525043920.8541194737259926 OPAY_MERCHANT_ID=281825061809316 OPAY_ENV=sandbox

⚠️ Impact: If .env is exposed, attackers could intercept/refund payments. Currently mitigated: sandbox mode + .env protected via htaccess.

💡 Fix: Rotate keys before production. Ensure .env is never committed to Git (.gitignore check passed).

.env OPay

#6 🟡 PHP Version Exposed (X-Powered-By)

LOW

Server exposes PHP version in response headers.

$ curl -I https://app.alflammem.com HTTP/2 302 x-powered-by: PHP/8.2.30

⚠️ Impact: Attackers know exact PHP version, can target version-specific exploits.

💡 Fix: Add Header unset X-Powered-By to .htaccess or disable expose_php in php.ini.

.htaccess php.ini

#7 🟡 CORS Configuration Missing

LOW

No config/cors.php found. If API is consumed by external frontend, this may cause issues.

$ cat config/cors.php (File not found)

⚠️ Impact: If mobile app or external frontend uses this API, CORS errors will occur.

💡 Fix: Publish CORS config: php artisan config:publish cors and configure allowed origins.

CORS API

#8 🟡 No Security Headers (CSP, Permissions-Policy)

LOW

Missing Content-Security-Policy and Permissions-Policy headers.

$ curl -I https://app.alflammem.com | grep -i content-security (No results) $ curl -I https://app.alflammem.com | grep -i permissions-policy (No results)

⚠️ Impact: No protection against XSS attacks via CSP. No restriction on browser features.

💡 Fix: Add CSP and Permissions-Policy headers in .htaccess or Laravel middleware.

CSP XSS Security Headers

HOSTING ENVIRONMENT

🖥️ Hosting Type

⚠️ SHARED HOSTING ⚠️

📦 cPanel

cPanel v110 - SuperCP (Namecheap)

🔒 Root Access

NOT AVAILABLE

🐚 Shell Access

Jailed Shell (cageFS)

📊 Resource Limits

CPU/Memory limited by CloudLinux LVE

🚫 Restrictions

No sudo, no apt/yum, no root services

RECOMMENDATIONS

✅ [HIGH] Implement API Rate Limiting immediately on all auth endpoints
✅ [HIGH] Review public API endpoints - apply auth:sanctum where needed
✅ [MEDIUM] Set SESSION_SAME_SITE=strict and SESSION_SECURE_COOKIE=true
✅ [MEDIUM] Rotate OPay keys before switching to production
✅ [LOW] Hide PHP version header, add CSP headers, configure CORS
✅ [INFO] Consider upgrading to VPS for better security control and isolation