<?php
// security_init.php
// 1. Fix for: Missing Content-Security-Policy (Medium Risk)
// Sets a Content Security Policy header to restrict resource loading.
// Allows resources from 'self' (the same domain), inline scripts/styles,
// and images from 'self' and data URIs (commonly used for small icons/images).
// Also allows fonts from 'self'.
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self';");
// 2. Fix for: Reflected HTML Injection (High Risk) - Language Validation
// Validates the 'lang' GET parameter against an allowed list.
// Defaults to 'ar' if the parameter is missing or invalid.
$input_lang = $_GET['lang'] ?? 'ar';
$allowed_langs = ['ar', 'en', 'ku']; // اللغات المسموح بها
// Check if the input language is in the allowed list. Use it if valid, otherwise default to 'ar'.
// The $lang variable will be available in the files that include this script.
$lang = in_array($input_lang, $allowed_langs, true) ? $input_lang : 'ar';
// Important: This script should not produce any output (like echo or HTML outside PHP tags)
// as it's included before the main HTML structure begins.
?>