CMXX - Translations, Service report improvements and API security

api.php

@@ -20,9 +20,9 @@ include './settings/config_redirector.php';
 // Header security - enabled via config
 //------------------------------------------   
 if (header_security){
-    header('Content-Type: application/json');
   
-    // Set strict security headers
+    // Strict security headers
+    header('Content-Type: application/json');
     header('X-Content-Type-Options: nosniff');
     header('X-Frame-Options: DENY');
     header('X-XSS-Protection: 1; mode=block');
@@ -30,19 +30,22 @@ if (header_security){
     header('Access-Control-Allow-Origin: ' . $_ENV['ALLOWED_ORIGIN']);
     header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
     header('Access-Control-Allow-Headers: Content-Type, Accept, Authorization');
-  
+    header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
+    header('Referrer-Policy: strict-origin-when-cross-origin');
+
     // Validate Content-Type
-    if (!str_contains($_SERVER['CONTENT_TYPE'],'application/json')) {
-    http_response_code(400);
-    exit(json_encode(['error' => 'Invalid Content-Type']));
+    if (!str_contains($_SERVER['CONTENT_TYPE'] ?? '', 'application/json')) {
+        http_response_code(400);
+        exit(json_encode(['error' => 'Invalid Content-Type']));
     }
-  
+
     // Validate request size
-    if ($_SERVER['CONTENT_LENGTH'] > '5M') {
-    http_response_code(413);
-    exit(json_encode(['error' => 'Request too large']));
+    $maxRequestSize = 5 * 1024 * 1024; // 5MB in bytes
+    if (isset($_SERVER['CONTENT_LENGTH']) && $_SERVER['CONTENT_LENGTH'] > $maxRequestSize) {
+        http_response_code(413);
+        exit(json_encode(['error' => 'Request too large']));
     }
-  }
+}
 
 //------------------------------------------
 // Retrieve API version and Collection