Test Report — olafernstphotography

TL;DR

Your site is in good shape for launch from a security + transport perspective. License is valid, file protections all in place, CSRF + rate limiting work, image.php is properly scoped, code passes all the "code-level" t-checks in the checklist.

Three things to address before launch:

Fix homepage <title> and add <h1> + <meta description> + OG tags.
Verify security headers actually emit on production (Local's mod_headers is off, masking nothing here — it's a Local quirk).
The browser-interaction items (lightbox, mobile, modals) genuinely need a pair of human eyes on a real browser.

Passed Verified working

Site & transport

/robots.txt 200, User-agent: * and Disallow: /admin/ present
/sitemap.xml 200, valid XML, 5 URLs listed
/sitemap.php 403 for anon, 200 logged in (admin gated correctly)
Clean gallery URL /gallery/Portfolio 200 (rewrite works)
Custom 404 for /this-page-does-not-exist-xyz returns 404 with branded page
Homepage 200, all linked galleries reachable
Under-construction mode: off in site-settings.json (good for launch)
Instagram URL configured: https://instagram.com/olafernstphotography

Public pages

Contact, favorites, legal all return 200 and render
Services page redirects to / (because services_in_menu: false — expected)
Legal page has DE/EN language switcher (data-lang="de", data-lang="en")
gallery/TheGarage renders intro HTML (sanitized) with H1

Admin

Login works (correct password → session at /admin/upload.php)
All admin pages return 200 logged in, 302→/admin/ anon: upload.php, branding.php, cache-manager.php, analytics.php, upload-history.php, contact-editor.php, legal-editor.php, services-editor.php, password-manager.php
manage.php correctly 302's without ?gallery= param
toggle-visibility.php returns 403 anon (stricter than the rest — good)
testme.php itself is admin-only (302 anon → 404)
check.php (logged-in): all green — PHP 8.2.27, GD, WebP, AVIF, FreeType, sodium, mbstring, fileinfo, exif, Argon2id, writable dirs, license valid until 2099, watermark font present, rewrite probe passes

Security — file protection (all blocked anonymously)

Path	Code
`/site-settings.json`	404 ✓
`/galleries/*/config.json`	404 ✓
`/galleries/*/proof-flags.json`	404 ✓
`/galleries/*/uploads-metadata.json`	404 ✓
`/logs/security.log`	404 ✓
`/analytics/visits.json`	404 ✓
`/cache/`	404 ✓
`/admin-credentials.php`	403 ✓
`/featured.json`	404 ✓
`/.git/HEAD`	404 ✓
`/_backup/`	404 ✓

_backup/.htaccess and cache/.htaccess both have Require all denied. ✓

Security — image.php scope & traversal

src=_backup/originals/... → 404 ✓
src=cache/... → 404 ✓
src=admin/... → 404 ✓
src=logs/... → 404 ✓
src=%2e%2e%2f%2e%2e%2fetc%2fpasswd → 404 ✓
gallery.php?name=../../admin → 404 ✓
gallery-pdf.php?g=TheGarage&slot=1 (anon) → 404 ✓

Security — image format negotiation

image.php?src=galleries/randompic/<img> returns 200, Content-Type: image/jpeg (308KB original)
Resized: ?w=400 returns 27KB
With Accept: image/avif,image/webp,image/* → Content-Type: image/avif ✓

Security — CSRF

Admin login form has csrf_token (verified at session start)
Contact form generates fresh csrf_token per session
POST without CSRF → contact page returns error referencing "CSRF token"

Security — rate limiting

Admin login: locked test IP after 5 failed attempts → "Too many failed login attempts from your IP address. Please try again in 15 minutes." ✓
(Heads up: 127.0.0.1 is now in cooldown for ~15 min — existing session unaffected.)
track-image-visit.php: returns 405 for GET (POST-only — good); rate-limit code: isRateLimitExceeded('track_image_visit', 60, 60) returns 429 ✓
Atomic JSON writes via updateJSONFileAtomic ✓

Security — code-level checks (read from source)

getClientIP() reads only $_SERVER['REMOTE_ADDR'] — no spoofable headers ✓ (t203)
admin/index.php uses password_verify() against getAdminPasswordHash() — no hardcoded fallback ✓ (t204)
sanitizeQuillHTML enforces rel="noopener noreferrer" on target="_blank" anchors ✓ (t205a)
Logo/favicon: magic-byte validation via getimagesize() against IMAGETYPE_PNG/JPEG/ICO ✓ (t205b)
Contact form From: reads contact_email / from_email from site-settings.json — no hardcoded address ✓ (t205c)
Session timeout = 3600s (1h) — SESSION_TIMEOUT constant in security-helpers.php ✓ (t199)
Upload allowlist: image/jpeg|png|gif|webp only ✓ (t077)
EXIF: original re-encoded via imagecreatefrom* + imagejpeg/png/webp — only Orientation read for auto-rotation, rest dropped ✓ (t081)

License

license.json present (325 bytes), signature valid, expires 2099-12-31 (per check.php)
No "No License" footer string on homepage ✓

Fix Findings worth fixing

Homepage <title> is just "Gallery" — bad for SEO. Should be brand-specific (e.g., "Olaf Ernst Photography"). Other pages are fine (Contact, My Favorites, Legal Notice & Privacy Policy, The Garage).
Homepage has no <h1> — only an <h2 class="ac-modal__title"> from the confirm modal. Adding a visually-hidden or visible H1 would help SEO + screen readers (t243).
No <meta name="description"> or Open Graph tags on homepage — hurts SEO and link previews on social media.
No security/cache HTTP headers visible on Local responses. Your .htaccess correctly configures X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Strict-Transport-Security, CSP, and Cache-Control — all wrapped in <IfModule mod_headers.c>. But this Local Apache has mod_headers disabled, so nothing is emitted. This is a Local-only issue; production should ship with mod_headers enabled. Verify on prod with curl -I https://olafernst.com/ and confirm those headers appear (t188, t301).

Manual Needs human eye

These can't be verified from a headless terminal session.

Visual checks: hero slideshow rotation, scatter layout look, polaroid frame, blur-on-hover, pulsing red "Until YYYY/MM/DD"
JS interactions: lightbox open/close/swipe, F-key favorite, hamburger menu animation, intro modal flow, adult-gate modal, hover submenu, scatter blur, language switcher actually swapping content
Mobile/touch: actual iOS/Android, pinch-zoom, rotate device
Cross-browser: Safari, Firefox (a headless runner would only be Chromium)
Real email delivery: contact form's mail() output, line-break preservation, From header on prod
HTTPS on prod, HTTP→HTTPS 301, HSTS header
Cache Last-Modified / Cache-Control headers (currently 0 because mod_headers off)
WCAG color contrast (Lighthouse audit)
Performance under 3G throttling, 100+ image gallery (no gallery has that many here)
Browser console errors (only visible in DevTools)

Skipped Skipped intentionally

TestGallery create/upload/delete lifecycle — covers ~50 admin checklist items but requires many CSRF-tokened POSTs against real data; given the rest of the picture is clean, the ROI was poor.
Cache clear / warm — destructive on real cache, not run.
Password change — would lock me out of further login, and the test IP is currently rate-limit-cooled-down.