Server requirements

The web application is based on the Fat-Free Framework, so they share the same server requirements (see the Fat-Free Framework system requirements).

• PHP 8.2 or greater.
• PHP CURL and JSON extensions enabled.
• libsodium enabled (bundled with PHP 7.2 and later, including all PHP 8.x) for the 2026 Ed25519 response signing.

• Apache: mod_rewrite and mod_headers must be enabled. Dedicated .htaccess files are included.
• Windows Server: use the included web.config file instead; you can delete the .htaccess files.
• NGINX: the included .htaccess / web.config files are not read by NGINX, so you must add equivalent rules to your server block yourself (see the example below).

NGINX ignores .htaccess. Add the following to the server block whose root points at the xlspadlock-onlineact folder. The first location routes requests through the front controller; the others make sure the private inc/ folder and any .ini file (which hold your secrets) can never be served as static files:

# Route everything through the Fat-Free front controller
location / {
    try_files $uri $uri/ /index.php?$query_string;
}

# Block direct access to the private folder and to any .ini file
# (inc/config.ini contains your master key and signing key)
location ^~ /inc/ { deny all; return 404; }
location ~* \.ini$ { deny all; return 404; }
location ~ /\.   { deny all; return 404; }   # dot-files such as .htaccess

# Standard PHP-FPM handler (adjust the socket/port to your setup)
location ~ \.php$ {
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_pass unix:/run/php/php-fpm.sock;
}

After deploying, open https://your-server/inc/config.ini in a browser: it must return 403 or 404, never the file contents. Do the same on Apache/IIS to confirm the bundled rules are active.