Enhance API functionality and security: Added rate limiting and domain validation across multiple API endpoints, improved error handling for missing or invalid parameters, and refactored email handling in contact form for better security and maintainability. Updated README.md with production build instructions and prerequisites.

2026-05-22 14:50:20 +02:00
parent 5f5be4a4cb
commit ebf6f82bb6
21 changed files with 1007 additions and 355 deletions
--- a/backend/includes/api-helpers.php
+++ b/backend/includes/api-helpers.php
@@ -0,0 +1,112 @@
+<?php
+/**
+ * Gemeinsame Hilfsfunktionen für öffentliche DNS/API-Endpunkte
+ */
+
+/**
+ * Client-IP für Rate-Limiting (Cloudflare-sicher, kein blindes X-Forwarded-For)
+ */
+function getApiClientIp(): string {
+    if (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])
+        && filter_var($_SERVER['HTTP_CF_CONNECTING_IP'], FILTER_VALIDATE_IP)) {
+        return $_SERVER['HTTP_CF_CONNECTING_IP'];
+    }
+
+    $remoteAddr = $_SERVER['REMOTE_ADDR'] ?? '0.0.0.0';
+    $isTrustedProxy = filter_var(
+        $remoteAddr,
+        FILTER_VALIDATE_IP,
+        FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
+    ) === false;
+
+    if ($isTrustedProxy) {
+        foreach (['HTTP_X_REAL_IP', 'HTTP_X_FORWARDED_FOR'] as $header) {
+            if (empty($_SERVER[$header])) {
+                continue;
+            }
+            $ip = trim(explode(',', $_SERVER[$header])[0]);
+            if (filter_var($ip, FILTER_VALIDATE_IP)) {
+                return $ip;
+            }
+        }
+    }
+
+    return $remoteAddr;
+}
+
+/**
+ * Einfaches Rate-Limiting pro Endpunkt und IP
+ */
+function checkApiRateLimit(string $endpoint, int $maxPerHour = 120): bool {
+    $ip = getApiClientIp();
+    $cacheFile = sys_get_temp_dir() . '/hexahost_api_' . md5($endpoint . '_' . $ip) . '.txt';
+    $currentTime = time();
+    $data = ['requests' => []];
+
+    $handle = @fopen($cacheFile, 'c+');
+    if ($handle === false) {
+        return true;
+    }
+
+    try {
+        if (!flock($handle, LOCK_EX)) {
+            return true;
+        }
+
+        $contents = stream_get_contents($handle);
+        if ($contents !== false && $contents !== '') {
+            $decoded = json_decode($contents, true);
+            if (is_array($decoded) && isset($decoded['requests'])) {
+                $data = $decoded;
+            }
+        }
+
+        $data['requests'] = array_values(array_filter(
+            $data['requests'],
+            static fn($timestamp) => ($currentTime - (int) $timestamp) < 3600
+        ));
+
+        if (count($data['requests']) >= $maxPerHour) {
+            return false;
+        }
+
+        $data['requests'][] = $currentTime;
+        ftruncate($handle, 0);
+        rewind($handle);
+        fwrite($handle, json_encode($data));
+    } finally {
+        flock($handle, LOCK_UN);
+        fclose($handle);
+    }
+
+    return true;
+}
+
+/**
+ * Domain aus GET-Parameter normalisieren und validieren
+ */
+function getValidatedDomainParam(string $param = 'domain'): ?string {
+    if (empty($_GET[$param])) {
+        return null;
+    }
+
+    $domain = trim((string) $_GET[$param]);
+    $domain = preg_replace('/^(https?:\/\/)?/', '', $domain);
+    $domain = explode('/', $domain)[0];
+    $domain = explode(':', $domain)[0];
+
+    if (!preg_match('/^[a-zA-Z0-9][a-zA-Z0-9\-\.]*\.[a-zA-Z]{2,}$/', $domain)) {
+        return null;
+    }
+
+    return $domain;
+}
+
+/**
+ * Rate-Limit-JSON-Antwort senden und beenden
+ */
+function rejectApiRateLimit(): void {
+    http_response_code(429);
+    echo json_encode(['error' => 'Zu viele Anfragen. Bitte versuchen Sie es später erneut.']);
+    exit;
+}