From 10ebc6cbdce4d97bf652c1bac435b296cb221cb5 Mon Sep 17 00:00:00 2001
From: "Farhad H. P. Shirvan" <9374298+farhadh@users.noreply.github.com>
Date: Thu, 7 May 2026 23:36:11 +0200
Subject: [PATCH] Implement CSRF protection and security hardening across the
 application (#4179)

* Implement CSRF protection and security hardening across the application

- Added CSRF token handling in axios requests and HTML templates.
- Introduced CSRF middleware to validate tokens for unsafe HTTP methods.
- Implemented login limiter to prevent brute-force attacks.
- Enhanced security headers in middleware for improved response security.
- Updated login notification to include safe metadata without passwords.
- Added tests for CSRF middleware and login limiter functionality.

* fix
---
 web/assets/js/axios-init.js          |   6 ++
 web/controller/api.go                |   2 +
 web/controller/index.go              |  70 +++++++++++-----
 web/controller/login_limiter.go      |  99 ++++++++++++++++++++++
 web/controller/login_limiter_test.go |  74 ++++++++++++++++
 web/controller/util.go               |   7 ++
 web/controller/xui.go                |   3 +
 web/html/common/page.html            |   3 +-
 web/middleware/security.go           |  47 +++++++++++
 web/middleware/security_test.go      | 121 +++++++++++++++++++++++++++
 web/service/tgbot.go                 |  26 ++++--
 web/service/tgbot_test.go            |  13 +++
 web/session/csrf.go                  |  55 ++++++++++++
 web/session/session.go               |   1 +
 web/translation/translate.ar_EG.toml |   2 +-
 web/translation/translate.en_US.toml |   2 +-
 web/translation/translate.es_ES.toml |   2 +-
 web/translation/translate.fa_IR.toml |   2 +-
 web/translation/translate.id_ID.toml |   2 +-
 web/translation/translate.ja_JP.toml |   2 +-
 web/translation/translate.pt_BR.toml |   2 +-
 web/translation/translate.ru_RU.toml |   2 +-
 web/translation/translate.tr_TR.toml |   2 +-
 web/translation/translate.uk_UA.toml |   2 +-
 web/translation/translate.vi_VN.toml |   2 +-
 web/translation/translate.zh_CN.toml |   2 +-
 web/translation/translate.zh_TW.toml |   2 +-
 web/web.go                           |  13 +++
 28 files changed, 525 insertions(+), 41 deletions(-)
 create mode 100644 web/controller/login_limiter.go
 create mode 100644 web/controller/login_limiter_test.go
 create mode 100644 web/middleware/security.go
 create mode 100644 web/middleware/security_test.go
 create mode 100644 web/service/tgbot_test.go
 create mode 100644 web/session/csrf.go

diff --git a/web/assets/js/axios-init.js b/web/assets/js/axios-init.js
index f0b0f4be..c44c0647 100644
--- a/web/assets/js/axios-init.js
+++ b/web/assets/js/axios-init.js
@@ -3,6 +3,12 @@ axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
 
 axios.interceptors.request.use(
     (config) => {
+        config.headers = config.headers || {};
+        const csrfToken = document.querySelector('meta[name="csrf-token"]')?.getAttribute('content');
+        const method = (config.method || 'get').toUpperCase();
+        if (csrfToken && !['GET', 'HEAD', 'OPTIONS', 'TRACE'].includes(method)) {
+            config.headers['X-CSRF-Token'] = csrfToken;
+        }
         if (config.data instanceof FormData) {
             config.headers['Content-Type'] = 'multipart/form-data';
         } else {
diff --git a/web/controller/api.go b/web/controller/api.go
index 57d2e4cb..e99a26d2 100644
--- a/web/controller/api.go
+++ b/web/controller/api.go
@@ -3,6 +3,7 @@ package controller
 import (
 	"net/http"
 
+	"github.com/mhsanaei/3x-ui/v2/web/middleware"
 	"github.com/mhsanaei/3x-ui/v2/web/service"
 	"github.com/mhsanaei/3x-ui/v2/web/session"
 
@@ -39,6 +40,7 @@ func (a *APIController) initRouter(g *gin.RouterGroup, customGeo *service.Custom
 	// Main API group
 	api := g.Group("/panel/api")
 	api.Use(a.checkAPIAuth)
+	api.Use(middleware.CSRFMiddleware())
 
 	// Inbounds API
 	inbounds := api.Group("/inbounds")
diff --git a/web/controller/index.go b/web/controller/index.go
index 14791543..d3c58da8 100644
--- a/web/controller/index.go
+++ b/web/controller/index.go
@@ -1,12 +1,12 @@
 package controller
 
 import (
-	"fmt"
 	"net/http"
 	"text/template"
 	"time"
 
 	"github.com/mhsanaei/3x-ui/v2/logger"
+	"github.com/mhsanaei/3x-ui/v2/web/middleware"
 	"github.com/mhsanaei/3x-ui/v2/web/service"
 	"github.com/mhsanaei/3x-ui/v2/web/session"
 
@@ -41,8 +41,8 @@ func (a *IndexController) initRouter(g *gin.RouterGroup) {
 	g.GET("/", a.index)
 	g.GET("/logout", a.logout)
 
-	g.POST("/login", a.login)
-	g.POST("/getTwoFactorEnable", a.getTwoFactorEnable)
+	g.POST("/login", middleware.CSRFMiddleware(), a.login)
+	g.POST("/getTwoFactorEnable", middleware.CSRFMiddleware(), a.getTwoFactorEnable)
 }
 
 // index handles the root route, redirecting logged-in users to the panel or showing the login page.
@@ -71,28 +71,51 @@ func (a *IndexController) login(c *gin.Context) {
 		return
 	}
 
-	user, checkErr := a.userService.CheckUser(form.Username, form.Password, form.TwoFactorCode)
-	timeStr := time.Now().Format("2006-01-02 15:04:05")
+	remoteIP := getRemoteIp(c)
 	safeUser := template.HTMLEscapeString(form.Username)
-	safePass := template.HTMLEscapeString(form.Password)
-
-	if user == nil {
-		logger.Warningf("wrong username: \"%s\", password: \"%s\", IP: \"%s\"", safeUser, safePass, getRemoteIp(c))
-
-		notifyPass := safePass
-
-		if checkErr != nil && checkErr.Error() == "invalid 2fa code" {
-			translatedError := a.tgbot.I18nBot("tgbot.messages.2faFailed")
-			notifyPass = fmt.Sprintf("*** (%s)", translatedError)
-		}
-
-		a.tgbot.UserLoginNotify(safeUser, notifyPass, getRemoteIp(c), timeStr, 0)
+	timeStr := time.Now().Format("2006-01-02 15:04:05")
+	if blockedUntil, ok := defaultLoginLimiter.allow(remoteIP, form.Username); !ok {
+		reason := "too many failed attempts"
+		logger.Warningf("failed login: username=%q, IP=%q, reason=%q, blocked_until=%s", safeUser, remoteIP, reason, blockedUntil.Format(time.RFC3339))
+		a.tgbot.UserLoginNotify(service.LoginAttempt{
+			Username: safeUser,
+			IP:       remoteIP,
+			Time:     timeStr,
+			Status:   service.LoginFail,
+			Reason:   reason,
+		})
 		pureJsonMsg(c, http.StatusOK, false, I18nWeb(c, "pages.login.toasts.wrongUsernameOrPassword"))
 		return
 	}
 
-	logger.Infof("%s logged in successfully, Ip Address: %s\n", safeUser, getRemoteIp(c))
-	a.tgbot.UserLoginNotify(safeUser, ``, getRemoteIp(c), timeStr, 1)
+	user, checkErr := a.userService.CheckUser(form.Username, form.Password, form.TwoFactorCode)
+
+	if user == nil {
+		reason := loginFailureReason(checkErr)
+		if blockedUntil, blocked := defaultLoginLimiter.registerFailure(remoteIP, form.Username); blocked {
+			logger.Warningf("failed login: username=%q, IP=%q, reason=%q, blocked_until=%s", safeUser, remoteIP, reason, blockedUntil.Format(time.RFC3339))
+		} else {
+			logger.Warningf("failed login: username=%q, IP=%q, reason=%q", safeUser, remoteIP, reason)
+		}
+		a.tgbot.UserLoginNotify(service.LoginAttempt{
+			Username: safeUser,
+			IP:       remoteIP,
+			Time:     timeStr,
+			Status:   service.LoginFail,
+			Reason:   reason,
+		})
+		pureJsonMsg(c, http.StatusOK, false, I18nWeb(c, "pages.login.toasts.wrongUsernameOrPassword"))
+		return
+	}
+
+	defaultLoginLimiter.registerSuccess(remoteIP, form.Username)
+	logger.Infof("%s logged in successfully, Ip Address: %s\n", safeUser, remoteIP)
+	a.tgbot.UserLoginNotify(service.LoginAttempt{
+		Username: safeUser,
+		IP:       remoteIP,
+		Time:     timeStr,
+		Status:   service.LoginSuccess,
+	})
 
 	if err := session.SetLoginUser(c, user); err != nil {
 		logger.Warning("Unable to save session:", err)
@@ -103,6 +126,13 @@ func (a *IndexController) login(c *gin.Context) {
 	jsonMsg(c, I18nWeb(c, "pages.login.toasts.successLogin"), nil)
 }
 
+func loginFailureReason(err error) string {
+	if err != nil && err.Error() == "invalid 2fa code" {
+		return "invalid 2FA code"
+	}
+	return "invalid credentials"
+}
+
 // logout handles user logout by clearing the session and redirecting to the login page.
 func (a *IndexController) logout(c *gin.Context) {
 	user := session.GetLoginUser(c)
diff --git a/web/controller/login_limiter.go b/web/controller/login_limiter.go
new file mode 100644
index 00000000..1694db99
--- /dev/null
+++ b/web/controller/login_limiter.go
@@ -0,0 +1,99 @@
+package controller
+
+import (
+	"strings"
+	"sync"
+	"time"
+)
+
+const (
+	loginLimitMaxFailures = 5
+	loginLimitWindow      = 5 * time.Minute
+	loginLimitCooldown    = 15 * time.Minute
+)
+
+var defaultLoginLimiter = newLoginLimiter(loginLimitMaxFailures, loginLimitWindow, loginLimitCooldown)
+
+type loginLimiter struct {
+	mu          sync.Mutex
+	now         func() time.Time
+	maxFailures int
+	window      time.Duration
+	cooldown    time.Duration
+	attempts    map[string]*loginLimitRecord
+}
+
+type loginLimitRecord struct {
+	failures     []time.Time
+	blockedUntil time.Time
+}
+
+func newLoginLimiter(maxFailures int, window, cooldown time.Duration) *loginLimiter {
+	return &loginLimiter{
+		now:         time.Now,
+		maxFailures: maxFailures,
+		window:      window,
+		cooldown:    cooldown,
+		attempts:    make(map[string]*loginLimitRecord),
+	}
+}
+
+func (l *loginLimiter) allow(ip, username string) (time.Time, bool) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	key := loginLimitKey(ip, username)
+	record := l.attempts[key]
+	if record == nil {
+		return time.Time{}, true
+	}
+	now := l.now()
+	if now.Before(record.blockedUntil) {
+		return record.blockedUntil, false
+	}
+	record.blockedUntil = time.Time{}
+	record.failures = pruneLoginFailures(record.failures, now.Add(-l.window))
+	if len(record.failures) == 0 {
+		delete(l.attempts, key)
+	}
+	return time.Time{}, true
+}
+
+func (l *loginLimiter) registerFailure(ip, username string) (time.Time, bool) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+
+	key := loginLimitKey(ip, username)
+	record := l.attempts[key]
+	if record == nil {
+		record = &loginLimitRecord{}
+		l.attempts[key] = record
+	}
+	now := l.now()
+	record.failures = pruneLoginFailures(record.failures, now.Add(-l.window))
+	record.failures = append(record.failures, now)
+	if len(record.failures) >= l.maxFailures {
+		record.failures = nil
+		record.blockedUntil = now.Add(l.cooldown)
+		return record.blockedUntil, true
+	}
+	return time.Time{}, false
+}
+
+func (l *loginLimiter) registerSuccess(ip, username string) {
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	delete(l.attempts, loginLimitKey(ip, username))
+}
+
+func loginLimitKey(ip, username string) string {
+	return strings.TrimSpace(ip) + "\x00" + strings.ToLower(strings.TrimSpace(username))
+}
+
+func pruneLoginFailures(failures []time.Time, cutoff time.Time) []time.Time {
+	keepFrom := 0
+	for keepFrom < len(failures) && failures[keepFrom].Before(cutoff) {
+		keepFrom++
+	}
+	return failures[keepFrom:]
+}
diff --git a/web/controller/login_limiter_test.go b/web/controller/login_limiter_test.go
new file mode 100644
index 00000000..cc9cd80e
--- /dev/null
+++ b/web/controller/login_limiter_test.go
@@ -0,0 +1,74 @@
+package controller
+
+import (
+	"testing"
+	"time"
+)
+
+func TestLoginLimiterBlocksAfterConfiguredFailures(t *testing.T) {
+	now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
+	limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
+	limiter.now = func() time.Time { return now }
+
+	for i := 0; i < 4; i++ {
+		if _, blocked := limiter.registerFailure("192.0.2.10", "Admin"); blocked {
+			t.Fatalf("failure %d should not block yet", i+1)
+		}
+		if _, ok := limiter.allow("192.0.2.10", "admin"); !ok {
+			t.Fatalf("failure %d should still allow login attempts", i+1)
+		}
+	}
+
+	blockedUntil, blocked := limiter.registerFailure("192.0.2.10", "ADMIN")
+	if !blocked {
+		t.Fatal("fifth failure should start cooldown")
+	}
+	if want := now.Add(15 * time.Minute); !blockedUntil.Equal(want) {
+		t.Fatalf("blocked until %s, want %s", blockedUntil, want)
+	}
+	if _, ok := limiter.allow("192.0.2.10", "admin"); ok {
+		t.Fatal("login should be blocked during cooldown")
+	}
+
+	now = blockedUntil
+	if _, ok := limiter.allow("192.0.2.10", "admin"); !ok {
+		t.Fatal("login should be allowed after cooldown")
+	}
+}
+
+func TestLoginLimiterPrunesOldFailuresAndResetsOnSuccess(t *testing.T) {
+	now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
+	limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
+	limiter.now = func() time.Time { return now }
+
+	for i := 0; i < 4; i++ {
+		limiter.registerFailure("192.0.2.10", "admin")
+	}
+	now = now.Add(6 * time.Minute)
+	if _, blocked := limiter.registerFailure("192.0.2.10", "admin"); blocked {
+		t.Fatal("old failures should be pruned outside the rolling window")
+	}
+
+	limiter.registerSuccess("192.0.2.10", "admin")
+	for i := 0; i < 4; i++ {
+		if _, blocked := limiter.registerFailure("192.0.2.10", "admin"); blocked {
+			t.Fatalf("success should reset previous failures; failure %d blocked", i+1)
+		}
+	}
+}
+
+func TestLoginLimiterSeparatesIPAndUsername(t *testing.T) {
+	now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
+	limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
+	limiter.now = func() time.Time { return now }
+
+	for i := 0; i < 5; i++ {
+		limiter.registerFailure("192.0.2.10", "admin")
+	}
+	if _, ok := limiter.allow("192.0.2.11", "admin"); !ok {
+		t.Fatal("different IP should not be blocked")
+	}
+	if _, ok := limiter.allow("192.0.2.10", "other-admin"); !ok {
+		t.Fatal("different username should not be blocked")
+	}
+}
diff --git a/web/controller/util.go b/web/controller/util.go
index e1d53ba6..070d2c70 100644
--- a/web/controller/util.go
+++ b/web/controller/util.go
@@ -10,6 +10,7 @@ import (
 	"github.com/mhsanaei/3x-ui/v2/config"
 	"github.com/mhsanaei/3x-ui/v2/logger"
 	"github.com/mhsanaei/3x-ui/v2/web/entity"
+	"github.com/mhsanaei/3x-ui/v2/web/session"
 
 	"github.com/gin-gonic/gin"
 )
@@ -121,6 +122,12 @@ func html(c *gin.Context, name string, title string, data gin.H) {
 		data = gin.H{}
 	}
 	data["title"] = title
+	csrfToken, err := session.EnsureCSRFToken(c)
+	if err != nil {
+		logger.Warning("Unable to create CSRF token:", err)
+	} else {
+		data["csrf_token"] = csrfToken
+	}
 	host := c.GetHeader("X-Forwarded-Host")
 	if host == "" {
 		host = c.GetHeader("X-Real-IP")
diff --git a/web/controller/xui.go b/web/controller/xui.go
index 51502900..afbbeb71 100644
--- a/web/controller/xui.go
+++ b/web/controller/xui.go
@@ -1,6 +1,8 @@
 package controller
 
 import (
+	"github.com/mhsanaei/3x-ui/v2/web/middleware"
+
 	"github.com/gin-gonic/gin"
 )
 
@@ -23,6 +25,7 @@ func NewXUIController(g *gin.RouterGroup) *XUIController {
 func (a *XUIController) initRouter(g *gin.RouterGroup) {
 	g = g.Group("/panel")
 	g.Use(a.checkLogin)
+	g.Use(middleware.CSRFMiddleware())
 
 	g.GET("/", a.index)
 	g.GET("/inbounds", a.inbounds)
diff --git a/web/html/common/page.html b/web/html/common/page.html
index 47b2b654..13f5d64c 100644
--- a/web/html/common/page.html
+++ b/web/html/common/page.html
@@ -7,6 +7,7 @@
   <meta name="renderer" content="webkit">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta name="robots" content="noindex,nofollow">
+  {{ if .csrf_token }}<meta name="csrf-token" content="{{ .csrf_token }}">{{ end }}
   <link rel="stylesheet" href="{{ .base_path }}assets/ant-design-vue/antd.min.css">
   <link rel="stylesheet" href="{{ .base_path }}assets/css/custom.min.css?{{ .cur_ver }}">
   <style>
@@ -102,4 +103,4 @@
 </body>
 
 </html>
-{{ end }}
\ No newline at end of file
+{{ end }}
diff --git a/web/middleware/security.go b/web/middleware/security.go
new file mode 100644
index 00000000..478d1a62
--- /dev/null
+++ b/web/middleware/security.go
@@ -0,0 +1,47 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/mhsanaei/3x-ui/v2/web/session"
+
+	"github.com/gin-gonic/gin"
+)
+
+// SecurityHeadersMiddleware adds browser hardening headers to panel responses.
+func SecurityHeadersMiddleware(directHTTPS bool) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("X-Content-Type-Options", "nosniff")
+		c.Header("X-Frame-Options", "DENY")
+		c.Header("Referrer-Policy", "no-referrer")
+		c.Header("Content-Security-Policy", "frame-ancestors 'none'; base-uri 'self'; form-action 'self'")
+		if directHTTPS {
+			c.Header("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
+		}
+		c.Next()
+	}
+}
+
+// CSRFMiddleware rejects unsafe requests that do not include the session CSRF token.
+func CSRFMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if isSafeMethod(c.Request.Method) {
+			c.Next()
+			return
+		}
+		if !session.ValidateCSRFToken(c) {
+			c.AbortWithStatus(http.StatusForbidden)
+			return
+		}
+		c.Next()
+	}
+}
+
+func isSafeMethod(method string) bool {
+	switch method {
+	case http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodTrace:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/web/middleware/security_test.go b/web/middleware/security_test.go
new file mode 100644
index 00000000..304ae485
--- /dev/null
+++ b/web/middleware/security_test.go
@@ -0,0 +1,121 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/mhsanaei/3x-ui/v2/web/session"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-contrib/sessions/cookie"
+	"github.com/gin-gonic/gin"
+)
+
+func TestCSRFMiddlewareAllowsSafeMethods(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+	router.Use(CSRFMiddleware())
+	router.GET("/safe", func(c *gin.Context) {
+		c.String(http.StatusOK, "ok")
+	})
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/safe", nil)
+	router.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK)
+	}
+}
+
+func TestCSRFMiddlewareRejectsMissingTokenAndAcceptsValidToken(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+	store := cookie.NewStore([]byte("01234567890123456789012345678901"))
+	router.Use(sessions.Sessions("3x-ui", store))
+	router.GET("/token", func(c *gin.Context) {
+		token, err := session.EnsureCSRFToken(c)
+		if err != nil {
+			t.Fatal(err)
+		}
+		c.String(http.StatusOK, token)
+	})
+	router.POST("/submit", CSRFMiddleware(), func(c *gin.Context) {
+		c.String(http.StatusOK, "ok")
+	})
+
+	tokenRec := httptest.NewRecorder()
+	tokenReq := httptest.NewRequest(http.MethodGet, "/token", nil)
+	router.ServeHTTP(tokenRec, tokenReq)
+	if tokenRec.Code != http.StatusOK {
+		t.Fatalf("token status = %d, want %d", tokenRec.Code, http.StatusOK)
+	}
+	cookies := tokenRec.Result().Cookies()
+	token := tokenRec.Body.String()
+
+	missingRec := httptest.NewRecorder()
+	missingReq := httptest.NewRequest(http.MethodPost, "/submit", nil)
+	for _, cookie := range cookies {
+		missingReq.AddCookie(cookie)
+	}
+	router.ServeHTTP(missingRec, missingReq)
+	if missingRec.Code != http.StatusForbidden {
+		t.Fatalf("missing token status = %d, want %d", missingRec.Code, http.StatusForbidden)
+	}
+
+	validRec := httptest.NewRecorder()
+	validReq := httptest.NewRequest(http.MethodPost, "/submit", nil)
+	for _, cookie := range cookies {
+		validReq.AddCookie(cookie)
+	}
+	validReq.Header.Set(session.CSRFHeaderName, token)
+	router.ServeHTTP(validRec, validReq)
+	if validRec.Code != http.StatusOK {
+		t.Fatalf("valid token status = %d, want %d", validRec.Code, http.StatusOK)
+	}
+}
+
+func TestSecurityHeadersMiddleware(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+	router.Use(SecurityHeadersMiddleware(true))
+	router.GET("/", func(c *gin.Context) {
+		c.String(http.StatusOK, "ok")
+	})
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	router.ServeHTTP(rec, req)
+
+	headers := rec.Result().Header
+	if got := headers.Get("X-Content-Type-Options"); got != "nosniff" {
+		t.Fatalf("X-Content-Type-Options = %q", got)
+	}
+	if got := headers.Get("X-Frame-Options"); got != "DENY" {
+		t.Fatalf("X-Frame-Options = %q", got)
+	}
+	if got := headers.Get("Referrer-Policy"); got != "no-referrer" {
+		t.Fatalf("Referrer-Policy = %q", got)
+	}
+	if got := headers.Get("Strict-Transport-Security"); got == "" {
+		t.Fatal("Strict-Transport-Security should be set for direct HTTPS")
+	}
+}
+
+func TestSecurityHeadersMiddlewareSkipsHSTSWithoutDirectHTTPS(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+	router.Use(SecurityHeadersMiddleware(false))
+	router.GET("/", func(c *gin.Context) {
+		c.String(http.StatusOK, "ok")
+	})
+
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	router.ServeHTTP(rec, req)
+
+	if got := rec.Result().Header.Get("Strict-Transport-Security"); got != "" {
+		t.Fatalf("Strict-Transport-Security = %q, want empty", got)
+	}
+}
diff --git a/web/service/tgbot.go b/web/service/tgbot.go
index 7c2a7d9e..a1a06f1b 100644
--- a/web/service/tgbot.go
+++ b/web/service/tgbot.go
@@ -104,6 +104,16 @@ const (
 	EmptyTelegramUserID             = int64(0) // Default value for empty Telegram user ID
 )
 
+// LoginAttempt contains safe metadata for panel login notifications.
+// It intentionally does not include attempted passwords.
+type LoginAttempt struct {
+	Username string
+	IP       string
+	Time     string
+	Status   LoginStatus
+	Reason   string
+}
+
 // Tgbot provides business logic for Telegram bot integration.
 // It handles bot commands, user interactions, and status reporting via Telegram.
 type Tgbot struct {
@@ -2769,12 +2779,12 @@ func (t *Tgbot) prepareServerUsageInfo() string {
 }
 
 // UserLoginNotify sends a notification about user login attempts to admins.
-func (t *Tgbot) UserLoginNotify(username string, password string, ip string, time string, status LoginStatus) {
+func (t *Tgbot) UserLoginNotify(attempt LoginAttempt) {
 	if !t.IsRunning() {
 		return
 	}
 
-	if username == "" || ip == "" || time == "" {
+	if attempt.Username == "" || attempt.IP == "" || attempt.Time == "" {
 		logger.Warning("UserLoginNotify failed, invalid info!")
 		return
 	}
@@ -2785,18 +2795,20 @@ func (t *Tgbot) UserLoginNotify(username string, password string, ip string, tim
 	}
 
 	msg := ""
-	switch status {
+	switch attempt.Status {
 	case LoginSuccess:
 		msg += t.I18nBot("tgbot.messages.loginSuccess")
 		msg += t.I18nBot("tgbot.messages.hostname", "Hostname=="+hostname)
 	case LoginFail:
 		msg += t.I18nBot("tgbot.messages.loginFailed")
 		msg += t.I18nBot("tgbot.messages.hostname", "Hostname=="+hostname)
-		msg += t.I18nBot("tgbot.messages.password", "Password=="+password)
+		if attempt.Reason != "" {
+			msg += t.I18nBot("tgbot.messages.reason", "Reason=="+attempt.Reason)
+		}
 	}
-	msg += t.I18nBot("tgbot.messages.username", "Username=="+username)
-	msg += t.I18nBot("tgbot.messages.ip", "IP=="+ip)
-	msg += t.I18nBot("tgbot.messages.time", "Time=="+time)
+	msg += t.I18nBot("tgbot.messages.username", "Username=="+attempt.Username)
+	msg += t.I18nBot("tgbot.messages.ip", "IP=="+attempt.IP)
+	msg += t.I18nBot("tgbot.messages.time", "Time=="+attempt.Time)
 	t.SendMsgToTgbotAdmins(msg)
 }
 
diff --git a/web/service/tgbot_test.go b/web/service/tgbot_test.go
new file mode 100644
index 00000000..39173563
--- /dev/null
+++ b/web/service/tgbot_test.go
@@ -0,0 +1,13 @@
+package service
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestLoginAttemptDoesNotCarryPassword(t *testing.T) {
+	typ := reflect.TypeOf(LoginAttempt{})
+	if _, ok := typ.FieldByName("Password"); ok {
+		t.Fatal("LoginAttempt must not carry attempted passwords")
+	}
+}
diff --git a/web/session/csrf.go b/web/session/csrf.go
new file mode 100644
index 00000000..c8449764
--- /dev/null
+++ b/web/session/csrf.go
@@ -0,0 +1,55 @@
+package session
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"io"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-gonic/gin"
+)
+
+const csrfTokenKey = "CSRF_TOKEN"
+
+// CSRFHeaderName is the request header used by browser clients for unsafe methods.
+const CSRFHeaderName = "X-CSRF-Token"
+
+// EnsureCSRFToken returns the current session CSRF token or creates one.
+func EnsureCSRFToken(c *gin.Context) (string, error) {
+	s := sessions.Default(c)
+	if token, ok := s.Get(csrfTokenKey).(string); ok && token != "" {
+		return token, nil
+	}
+	token, err := newCSRFToken()
+	if err != nil {
+		return "", err
+	}
+	s.Set(csrfTokenKey, token)
+	return token, s.Save()
+}
+
+// ValidateCSRFToken checks the submitted CSRF token against the session token.
+func ValidateCSRFToken(c *gin.Context) bool {
+	s := sessions.Default(c)
+	expected, ok := s.Get(csrfTokenKey).(string)
+	if !ok || expected == "" {
+		return false
+	}
+	actual := c.GetHeader(CSRFHeaderName)
+	if actual == "" {
+		actual = c.PostForm("_csrf")
+	}
+	if len(actual) != len(expected) {
+		return false
+	}
+	return subtle.ConstantTimeCompare([]byte(actual), []byte(expected)) == 1
+}
+
+func newCSRFToken() (string, error) {
+	buf := make([]byte, 32)
+	if _, err := io.ReadFull(rand.Reader, buf); err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(buf), nil
+}
diff --git a/web/session/session.go b/web/session/session.go
index c171c1d0..7fc05be1 100644
--- a/web/session/session.go
+++ b/web/session/session.go
@@ -73,6 +73,7 @@ func ClearSession(c *gin.Context) error {
 		Path:     cookiePath,
 		MaxAge:   -1,
 		HttpOnly: true,
+		Secure:   c.Request.TLS != nil,
 		SameSite: http.SameSiteLaxMode,
 	})
 	return s.Save()
diff --git a/web/translation/translate.ar_EG.toml b/web/translation/translate.ar_EG.toml
index b0d33dcf..3b8aa6b8 100644
--- a/web/translation/translate.ar_EG.toml
+++ b/web/translation/translate.ar_EG.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 الترافيك: {{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ الحالة: {{ .State }}\r\n"
 "username" = "👤 اسم المستخدم: {{ .Username }}\r\n"
-"password" = "👤 الباسورد: {{ .Password }}\r\n"
+"reason" = "❗️ السبب: {{ .Reason }}\r\n"
 "time" = "⏰ الوقت: {{ .Time }}\r\n"
 "inbound" = "📍 الإدخال: {{ .Remark }}\r\n"
 "port" = "🔌 البورت: {{ .Port }}\r\n"
diff --git a/web/translation/translate.en_US.toml b/web/translation/translate.en_US.toml
index 25343fe4..8338029f 100644
--- a/web/translation/translate.en_US.toml
+++ b/web/translation/translate.en_US.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 Traffic: {{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Status: {{ .State }}\r\n"
 "username" = "👤 Username: {{ .Username }}\r\n"
-"password" = "👤 Password: {{ .Password }}\r\n"
+"reason" = "❗️ Reason: {{ .Reason }}\r\n"
 "time" = "⏰ Time: {{ .Time }}\r\n"
 "inbound" = "📍 Inbound: {{ .Remark }}\r\n"
 "port" = "🔌 Port: {{ .Port }}\r\n"
diff --git a/web/translation/translate.es_ES.toml b/web/translation/translate.es_ES.toml
index 7f7e9f71..b8b1a5b7 100644
--- a/web/translation/translate.es_ES.toml
+++ b/web/translation/translate.es_ES.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 Tráfico: {{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Estado de Xray: {{ .State }}\r\n"
 "username" = "👤 Nombre de usuario: {{ .Username }}\r\n"
-"password" = "👤 Contraseña: {{ .Password }}\r\n"
+"reason" = "❗️ Motivo: {{ .Reason }}\r\n"
 "time" = "⏰ Hora: {{ .Time }}\r\n"
 "inbound" = "📍 Inbound: {{ .Remark }}\r\n"
 "port" = "🔌 Puerto: {{ .Port }}\r\n"
diff --git a/web/translation/translate.fa_IR.toml b/web/translation/translate.fa_IR.toml
index c4d3eb27..7de9a64e 100644
--- a/web/translation/translate.fa_IR.toml
+++ b/web/translation/translate.fa_IR.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 ترافیک: {{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ وضعیت‌ایکس‌ری: {{ .State }}\r\n"
 "username" = "👤 نام‌کاربری: {{ .Username }}\r\n"
-"password" = "👤 رمز عبور: {{ .Password }}\r\n"
+"reason" = "❗️ دلیل: {{ .Reason }}\r\n"
 "time" = "⏰ زمان: {{ .Time }}\r\n"
 "inbound" = "📍 نام‌ورودی: {{ .Remark }}\r\n"
 "port" = "🔌 پورت: {{ .Port }}\r\n"
diff --git a/web/translation/translate.id_ID.toml b/web/translation/translate.id_ID.toml
index bfede30e..662ef6a2 100644
--- a/web/translation/translate.id_ID.toml
+++ b/web/translation/translate.id_ID.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 Lalu Lintas: {{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Status: {{ .State }}\r\n"
 "username" = "👤 Nama Pengguna: {{ .Username }}\r\n"
-"password" = "👤 Kata Sandi: {{ .Password }}\r\n"
+"reason" = "❗️ Alasan: {{ .Reason }}\r\n"
 "time" = "⏰ Waktu: {{ .Time }}\r\n"
 "inbound" = "📍 Inbound: {{ .Remark }}\r\n"
 "port" = "🔌 Port: {{ .Port }}\r\n"
diff --git a/web/translation/translate.ja_JP.toml b/web/translation/translate.ja_JP.toml
index 2ee6c77c..aa8fccfa 100644
--- a/web/translation/translate.ja_JP.toml
+++ b/web/translation/translate.ja_JP.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 トラフィック：{{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Xrayステータス：{{ .State }}\r\n"
 "username" = "👤 ユーザー名：{{ .Username }}\r\n"
-"password" = "👤 パスワード: {{ .Password }}\r\n"
+"reason" = "❗️ 理由：{{ .Reason }}\r\n"
 "time" = "⏰ 時間：{{ .Time }}\r\n"
 "inbound" = "📍 インバウンド：{{ .Remark }}\r\n"
 "port" = "🔌 ポート：{{ .Port }}\r\n"
diff --git a/web/translation/translate.pt_BR.toml b/web/translation/translate.pt_BR.toml
index bb8d412d..4144f7e8 100644
--- a/web/translation/translate.pt_BR.toml
+++ b/web/translation/translate.pt_BR.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 Tráfego: {{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Status: {{ .State }}\r\n"
 "username" = "👤 Nome de usuário: {{ .Username }}\r\n"
-"password" = "👤 Senha: {{ .Password }}\r\n"
+"reason" = "❗️ Motivo: {{ .Reason }}\r\n"
 "time" = "⏰ Hora: {{ .Time }}\r\n"
 "inbound" = "📍 Inbound: {{ .Remark }}\r\n"
 "port" = "🔌 Porta: {{ .Port }}\r\n"
diff --git a/web/translation/translate.ru_RU.toml b/web/translation/translate.ru_RU.toml
index 299cc019..fb954c0f 100644
--- a/web/translation/translate.ru_RU.toml
+++ b/web/translation/translate.ru_RU.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 Трафик: {{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Состояние Xray: {{ .State }}\r\n"
 "username" = "👤 Имя пользователя: {{ .Username }}\r\n"
-"password" = "👤 Пароль: {{ .Password }}\r\n"
+"reason" = "❗️ Причина: {{ .Reason }}\r\n"
 "time" = "⏰ Время: {{ .Time }}\r\n"
 "inbound" = "📍 Входящее подключение: {{ .Remark }}\r\n"
 "port" = "🔌 Порт: {{ .Port }}\r\n"
diff --git a/web/translation/translate.tr_TR.toml b/web/translation/translate.tr_TR.toml
index b08255af..4ebad7c6 100644
--- a/web/translation/translate.tr_TR.toml
+++ b/web/translation/translate.tr_TR.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 Trafik: {{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Durum: {{ .State }}\r\n"
 "username" = "👤 Kullanıcı Adı: {{ .Username }}\r\n"
-"password" = "👤 Şifre: {{ .Password }}\r\n"
+"reason" = "❗️ Sebep: {{ .Reason }}\r\n"
 "time" = "⏰ Zaman: {{ .Time }}\r\n"
 "inbound" = "📍 Gelen: {{ .Remark }}\r\n"
 "port" = "🔌 Port: {{ .Port }}\r\n"
diff --git a/web/translation/translate.uk_UA.toml b/web/translation/translate.uk_UA.toml
index ba9e9f29..78ab1c53 100644
--- a/web/translation/translate.uk_UA.toml
+++ b/web/translation/translate.uk_UA.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 Трафік: {{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Статус: {{ .State }}\r\n"
 "username" = "👤 Ім'я користувача: {{ .Username }}\r\n"
-"password" = "👤 Пароль: {{ .Password }}\r\n"
+"reason" = "❗️ Причина: {{ .Reason }}\r\n"
 "time" = "⏰ Час: {{ .Time }}\r\n"
 "inbound" = "📍 Inbound: {{ .Remark }}\r\n"
 "port" = "🔌 Порт: {{ .Port }}\r\n"
diff --git a/web/translation/translate.vi_VN.toml b/web/translation/translate.vi_VN.toml
index 77a2f236..0889cf50 100644
--- a/web/translation/translate.vi_VN.toml
+++ b/web/translation/translate.vi_VN.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 Lưu lượng: {{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Trạng thái Xray: {{ .State }}\r\n"
 "username" = "👤 Tên người dùng: {{ .Username }}\r\n"
-"password" = "👤 Mật khẩu: {{ .Password }}\r\n"
+"reason" = "❗️ Lý do: {{ .Reason }}\r\n"
 "time" = "⏰ Thời gian: {{ .Time }}\r\n"
 "inbound" = "📍 Inbound: {{ .Remark }}\r\n"
 "port" = "🔌 Cổng: {{ .Port }}\r\n"
diff --git a/web/translation/translate.zh_CN.toml b/web/translation/translate.zh_CN.toml
index 9a0c694c..c5e5f543 100644
--- a/web/translation/translate.zh_CN.toml
+++ b/web/translation/translate.zh_CN.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 流量：{{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Xray 状态：{{ .State }}\r\n"
 "username" = "👤 用户名：{{ .Username }}\r\n"
-"password" = "👤 密码: {{ .Password }}\r\n"
+"reason" = "❗️ 原因：{{ .Reason }}\r\n"
 "time" = "⏰ 时间：{{ .Time }}\r\n"
 "inbound" = "📍 入站：{{ .Remark }}\r\n"
 "port" = "🔌 端口：{{ .Port }}\r\n"
diff --git a/web/translation/translate.zh_TW.toml b/web/translation/translate.zh_TW.toml
index dc5883c9..5024a6b5 100644
--- a/web/translation/translate.zh_TW.toml
+++ b/web/translation/translate.zh_TW.toml
@@ -765,7 +765,7 @@
 "traffic" = "🚦 流量：{{ .Total }} (↑{{ .Upload }},↓{{ .Download }})\r\n"
 "xrayStatus" = "ℹ️ Xray 狀態：{{ .State }}\r\n"
 "username" = "👤 使用者名稱：{{ .Username }}\r\n"
-"password" = "👤 密碼: {{ .Password }}\r\n"
+"reason" = "❗️ 原因：{{ .Reason }}\r\n"
 "time" = "⏰ 時間：{{ .Time }}\r\n"
 "inbound" = "📍 入站：{{ .Remark }}\r\n"
 "port" = "🔌 埠：{{ .Port }}\r\n"
diff --git a/web/web.go b/web/web.go
index f25dada2..b1f55332 100644
--- a/web/web.go
+++ b/web/web.go
@@ -170,6 +170,16 @@ func (s *Server) getHtmlTemplate(funcMap template.FuncMap) (*template.Template,
 	return t, nil
 }
 
+func (s *Server) isDirectHTTPSConfigured() bool {
+	certFile, certErr := s.settingService.GetCertFile()
+	keyFile, keyErr := s.settingService.GetKeyFile()
+	if certErr != nil || keyErr != nil || certFile == "" || keyFile == "" {
+		return false
+	}
+	_, err := tls.LoadX509KeyPair(certFile, keyFile)
+	return err == nil
+}
+
 // initRouter initializes Gin, registers middleware, templates, static
 // assets, controllers and returns the configured engine.
 func (s *Server) initRouter() (*gin.Engine, error) {
@@ -182,6 +192,8 @@ func (s *Server) initRouter() (*gin.Engine, error) {
 	}
 
 	engine := gin.Default()
+	directHTTPS := s.isDirectHTTPSConfigured()
+	engine.Use(middleware.SecurityHeadersMiddleware(directHTTPS))
 
 	webDomain, err := s.settingService.GetWebDomain()
 	if err != nil {
@@ -209,6 +221,7 @@ func (s *Server) initRouter() (*gin.Engine, error) {
 	sessionOptions := sessions.Options{
 		Path:     basePath,
 		HttpOnly: true,
+		Secure:   directHTTPS,
 		SameSite: http.SameSiteLaxMode,
 	}
 	if sessionMaxAge, err := s.settingService.GetSessionMaxAge(); err == nil && sessionMaxAge > 0 {