Security Policy

Security at a Glance

Transport Security (HTTPS / SSL)

All communication between your browser and vpn.mitkar.com is encrypted using SSL/TLS provided by Hostinger's managed SSL certificate. This means:

• All data transmitted (login credentials, payment data, chat messages, admin panel operations) is encrypted in transit.
• Man-in-the-middle attacks are prevented by certificate validation.
• HTTP requests are automatically redirected to HTTPS via our .htaccess rules.
• Our SSL certificate is regularly renewed and monitored by Hostinger.

Authentication Security

Password Hashing

All admin account passwords are stored using PHP's password_hash() function with the PASSWORD_BCRYPT algorithm. Key properties:

• Bcrypt automatically incorporates a random salt for each password � two identical passwords produce completely different hashes.
• Bcrypt is designed to be computationally slow (cost factor 10+), making brute-force attacks impractical.
• Plain-text passwords are never stored, logged, or transmitted.
• Password verification uses password_verify() � timing-attack safe by design.

Session Management

• Admin authentication state is managed via PHP server-side sessions (PHPSESSID).
• Session data (role, username, logged-in flag) is stored server-side � never exposed in the URL or client-side storage.
• Logging out destroys the session immediately via session_destroy().
• Session cookies are HttpOnly � inaccessible to JavaScript, preventing XSS-based session theft.

Role-Based Access Control (RBAC)

Every single page in the admin panel verifies the user's role and session before rendering any content or allowing any action:

• Main Admin pages check: $_SESSION['admin_logged_in'] === true && $_SESSION['admin_role'] === 'admin'
• Sub-Admin pages check: role is admin or subadmin
• Reseller pages check: role is admin, subadmin, or reseller
• Any unauthorized access attempt redirects to the login page immediately.
• Hierarchy verification ensures a reseller cannot access sub-admin data, and a sub-admin cannot access other sub-admins' data.

Database Security

• PDO Prepared Statements � All database queries use PHP PDO with parameterized statements. User input is never directly interpolated into SQL queries, completely eliminating SQL injection vulnerabilities.
• Minimal Privilege Principle � Database user accounts are configured with only the minimum permissions required for each operation.
• No Sensitive Data in URL Parameters � Sensitive identifiers (user IDs, payment amounts) are never passed via GET parameters where they can be easily modified.
• Input Sanitization � All user-provided data is sanitized and validated before processing using PHP's htmlspecialchars(), filter_var(), and custom validation functions.

Payment Security

• Razorpay (Primary) � PCI-DSS Level 1 certified. Card data is entered directly in Razorpay's secure iframe � our server never receives it. We only receive the order status and payment ID after completion.
• Payment Verification � All Razorpay payments are verified server-side using Razorpay's HMAC-SHA256 signature verification before crediting any wallet or confirming any order. This prevents payment forgery.
• Webhook Security � Payment webhook endpoints validate the Razorpay webhook signature header before processing any order update.
• Amount Verification � The payment amount is verified server-side against the expected order amount. Tampered amounts in client-side requests are automatically rejected.

Activity Logging & Monitoring

Our platform maintains comprehensive activity logs for security monitoring:

• Login Events � Every successful and failed login attempt is logged with: timestamp, IP address, geo-resolved country and city, device/browser information.
• IP Geolocation � Login IPs are resolved to country/city using the ipapi.co API for geo-anomaly detection.
• Financial Transaction Logs � Every wallet topup, balance transfer, PIN generation, and redemption is logged with full audit trail.
• Admin Actions � Key admin actions (creating accounts, modifying server settings, generating PINs) are logged for accountability.

Activity logs enable the Main Admin to detect unauthorized access attempts, suspicious financial activity, and platform misuse.

Vulnerability Reporting

If you discover a security vulnerability in our platform, we encourage responsible disclosure. Please:

• Do NOT publicly disclose the vulnerability before we have had a chance to address it.
• Email us at vpn@mitkar.com with subject: "Security Vulnerability Report"
• Include a detailed description, steps to reproduce, and potential impact assessment.
• We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly.

We appreciate responsible security researchers who help us maintain a secure platform for all users.

Your Security Responsibilities

Platform security is a shared responsibility. As an admin account holder, you are responsible for:

• Using a strong, unique password for your admin account (minimum 12 characters, mix of letters, numbers, symbols).
• Not sharing your credentials with unauthorized individuals.
• Logging out of the admin panel when using shared or public computers.
• Keeping your device and browser up to date with security patches.
• Reporting any suspicious activity on your account immediately to vpn@mitkar.com.
• Not using demo credentials for any production use � demo accounts are publicly accessible.