Harden admin security controls

api/profile.php

@@ -1,7 +1,7 @@
 <?php
 require_once 'config.php';
 require_once __DIR__ . '/error_config.php';
-session_start();
+start_secure_session();
 set_json_headers();
 
 $method = $_SERVER['REQUEST_METHOD'];
@@ -49,6 +49,7 @@ if ($method === 'GET') {
 
 // 이하 수정은 인증 필요
 require_auth();
+require_csrf();
 
 // =====================================================
 // PUT: 프로필 전체 업데이트
@@ -66,7 +67,7 @@ if ($method === 'PUT') {
         'name' => trim($input['name'] ?? $current['name'] ?? ''),
         'title' => trim($input['title'] ?? $current['title'] ?? ''),
         'tagline' => trim($input['tagline'] ?? $current['tagline'] ?? ''),
-        'avatar' => trim($input['avatar'] ?? $current['avatar'] ?? ''),
+        'avatar' => clean_public_url($input['avatar'] ?? $current['avatar'] ?? ''),
         'bio' => trim($input['bio'] ?? $current['bio'] ?? ''),
         'location' => trim($input['location'] ?? $current['location'] ?? ''),
         'email' => trim($input['email'] ?? $current['email'] ?? ''),
@@ -101,7 +102,13 @@ if ($method === 'PUT') {
     }
     
     if (isset($input['social']) && is_array($input['social'])) {
-        $updated['social'] = array_merge($current['social'] ?? [], $input['social']);
+        $social = array_merge($current['social'] ?? [], $input['social']);
+        foreach (['github', 'linkedin', 'blog'] as $key) {
+            if (isset($social[$key])) {
+                $social[$key] = clean_public_url($social[$key]);
+            }
+        }
+        $updated['social'] = $social;
     }
     
     if (write_json_safe(PROFILE_FILE, $updated)) {