<?php
header('Content-Type: application/json');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Content-Security-Policy: default-src \'self\'');

$config = require 'config.php';
$db = new PDO(
    "mysql:host={$config['db']['host']};dbname={$config['db']['name']}", 
    $config['db']['user'], 
    $config['db']['pass']
);
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    http_response_code(405);
    die(json_encode(['error' => 'Method not allowed']));
}

$input = json_decode(file_get_contents('php://input'), true);
if (!$input) {
    http_response_code(400);
    die(json_encode(['error' => 'Invalid JSON']));
}

$username = filter_var($input['username'] ?? '', FILTER_SANITIZE_STRING);
$message = $input['message'] ?? '';
$signature = $input['signature'] ?? '';
$is_encrypted = !empty($input['encrypted']);

if (!$username || !$message) {
    http_response_code(400);
    die(json_encode(['error' => 'Missing required fields']));
}

try {
    $stmt = $db->prepare('INSERT INTO messages (username, message, signature, is_encrypted) VALUES (?, ?, ?, ?)');
    $stmt->execute([$username, $message, $signature, $is_encrypted]);
    echo json_encode(['success' => true]);
} catch (Exception $e) {
    http_response_code(500);
    echo json_encode(['error' => 'Server error']);
}