Militant API Security - Militant API

This page summarizes the main security layers of the Militant API.

Implemented protections

64-character SHA-256 tokens
automatic expiration and revocation
rate limiting per IP and per endpoint
protection against brute force, SQL injection, XSS and path traversal
strict input validation
security headers such as HSTS, CSP and X-Frame-Options
configurable CORS
security event logging

Production recommendations

Enforce HTTPS

In /api/.env:

API_REQUIRE_HTTPS=true

Restrict CORS

API_CORS_ORIGINS=https://app.example.com,https://mobile.example.com

Disable debug mode

API_DEBUG=false

Use a dedicated SQL user

CREATE USER 'api_user'@'localhost' IDENTIFIED BY 'strong_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON militant.* TO 'api_user'@'localhost';
FLUSH PRIVILEGES;

Monitor logs

tail -f /var/log/apache2/error.log | grep "API Security"
tail -f /var/log/apache2/access.log | grep "/api/"

Good practices

never expose tokens in client logs
use HTTPS only in production
store tokens in a secure keystore
rotate and revoke tokens when needed
keep PHP and dependencies up to date

Vulnerability reporting

Do not open a public issue for a security problem. Use the private security contact instead.

Main documentation Back to API