📰 News & Updates

🔒 Security Improvements

We take the safety and privacy of our users seriously. Here’s what we’ve done to improve security on FishBSE:

1. Hardened Content Security Policy (CSP):

• Added strict CSP headers to prevent malicious scripts from running.

• Limited which external scripts and connections can be loaded (protects against XSS attacks, unwanted data leaks, and third-party exploits).

• Example: Only whitelisted trusted domains for scripts (like Bootstrap and FontAwesome)We went from an F to a B!

2. Secure Session Management:

• Ensured sessions are always started before any output, avoiding session fixation and “headers already sent” issues.

• Improved session cookie settings for better privacy and security.

3. Access Controls:

• Verified that sensitive admin and user actions require a logged-in session and correct privileges.

• Prevented admin-only pages and actions from being accessed by regular users or guests.

4. Safer File Uploads:

• Image uploads are now validated for type and size.

• JPEGs are automatically converted to PNG for safer thumbnails and to prevent file-based exploits.

• Non-image files are blocked from being uploaded.

5. Error Handling:

• Suppressed error details from being shown to users in production, protecting internal app information from being leaked.

• Debugging is restricted to dev/admin only.

6. Input Validation & Database Security:

• Used prepared statements for all SQL queries (protects against SQL injection).

• Escaped output on all user-facing pages to prevent XSS.

7. API/Script Protection:

• API endpoints like fetch_trade_notifications.php are now only accessible if the user is logged in, preventing unnecessary background API calls and abuse.

8. Privacy-First Design:

• User phone numbers and sensitive details are only shown if a user is logged in and only to the listing owner or with user permission.

• All registration and login pages use secure forms and checks.