diff --git a/.gitignore b/.gitignore
index 15e9bfc9..03ef8272 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 # Local Config
 /public/include/config/global.inc.php
+/public/include/config/security.inc.php
 
 # Templates
 /public/templates/compile/*.php
diff --git a/cronjobs/shared.inc.php b/cronjobs/shared.inc.php
index ecc3da11..b34026df 100644
--- a/cronjobs/shared.inc.php
+++ b/cronjobs/shared.inc.php
@@ -18,6 +18,21 @@ limitations under the License.
 
  */
 
+define('SECURITY', '*)WT#&YHfd');
+// Whether or not to check SECHASH for validity, still checks if SECURITY defined as before if disabled
+define('SECHASH_CHECK', false);
+
+// Nothing below here to configure, move along...
+
+// change SECHASH every second, we allow up to 3 sec back for slow servers
+if (SECHASH_CHECK) {
+  function fip($tr=0) { return md5(SECURITY.(time()-$tr).SECURITY); }
+  define('SECHASH', fip());
+  function cfip() { return (fip()==SECHASH||fip(1)==SECHASH||fip(2)==SECHASH) ? 1 : 0; }
+} else {
+  function cfip() { return (@defined('SECURITY')) ? 1 : 0; }
+}
+
 // MODIFY THIS
 // We need to find our include files so set this properly
 define("BASEPATH", "../public/");
@@ -32,14 +47,15 @@ $dStartTime = microtime(true);
 // Our cron name
 $cron_name = basename($_SERVER['PHP_SELF'], '.php');
 
-// Our security check
-define("SECURITY", 1);
-
 // Include our configuration (holding defines for the requires)
+require_once(BASEPATH . 'include/config/global.inc.dist.php');
 require_once(BASEPATH . 'include/config/global.inc.php');
 
-// We include all needed files here, even though our templates could load them themself
-require_once(INCLUDE_DIR . '/autoloader.inc.php');
+require_once(BASEPATH . 'include/config/security.inc.dist.php');
+@include_once(BASEPATH . 'include/config/security.inc.php');
+
+require_once(BASEPATH . 'include/bootstrap.php');
+require_once(BASEPATH . 'include/version.inc.php');
 
 // Command line switches
 array_shift($argv);
diff --git a/public/include/admin_checks.php b/public/include/admin_checks.php
new file mode 100644
index 00000000..4935047d
--- /dev/null
+++ b/public/include/admin_checks.php
@@ -0,0 +1,130 @@
+<?php
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
+
+if (@$_SESSION['USERDATA']['is_admin'] && $user->isAdmin(@$_SESSION['USERDATA']['id'])) {
+  if (!include_once(INCLUDE_DIR . '/lib/jsonRPCClient.php')) die('Unable to load libs');
+  $notice = array();
+  $enotice = array();
+  $error = array();
+  
+  // setup some basic stuff for checking - getuid/getpwuid not available on mac/windows
+  $apache_user = 'unknown';
+  if (substr_count(strtolower(PHP_OS), 'nix') > 0) {
+    $apache_user = (function_exists('posix_getuid')) ? posix_getuid() : 'unknown';
+    $apache_user = (function_exists('posix_getpwuid')) ? posix_getpwuid($apache_user) : $apache_user;
+  }
+  
+  // setup checks
+  // check if memcache isn't available but enabled in config -> error
+  if (!class_exists('Memcached') && $config['memcache']['enabled']) {
+    $error[] = "You have memcache enabled in your config and it's not available. Install the package on your system.";
+  }
+  // if it's not enabled, test it if it exists, if it works -> error tell them to enable, -> otherwise notice it's disabled
+  if (!$config['memcache']['enabled']) {
+    if (PHP_OS == 'WINNT') {
+      require_once(CLASS_DIR . 'memcached.class.php');
+    }
+    if (class_exists('Memcached')) {
+      $memcache_test = @new Memcached();
+      $memcache_test_add = @$memcache_test->addServer($config['memcache']['host'], $config['memcache']['port']);
+      $randmctv = rand(5,10);
+      $memcache_test_set = @$memcache_test->set('test_mpos_setval', $randmctv);
+      $memcache_test_get = @$memcache_test->get('test_mpos_setval');
+    }
+    if (class_exists('Memcached') && $memcache_test_get == $randmctv) {
+      $error[] = "You have memcache disabled in the config and it's available & works! Enable it.";
+    } else {
+      $notice[] = "Memcache is disabled; Almost every linux distro has packages for it, you should be using it if you can.";
+    }
+  }
+  // check if htaccess exists
+  if (!file_exists(BASEPATH.".htaccess")) {
+    $htaccess_link = "<a href='https://github.com/MPOS/php-mpos/blob/next/public/.htaccess'>.htaccess</a>";
+    $notice[] = "You don't seem to have a .htaccess in your public folder, if you're using apache set it up $htaccess_link";
+  }
+  // check if we can write templates/cache and templates/compile -> error
+  if (!is_writable(THEME_DIR.'/cache')) {
+    $error[] = "templates/cache folder is not writable for uid {$apache_user['name']}";
+  }
+  if (!is_writable(THEME_DIR.'/compile')) {
+    $error[] = "templates/compile folder is not writable for uid {$apache_user['name']}";
+  }
+  // check if we can write the config files, we should NOT be able to -> error
+  if (is_writable(INCLUDE_DIR.'/config/global.inc.php') || is_writable(INCLUDE_DIR.'/config/global.inc.dist.php') ||
+      is_writable(INCLUDE_DIR.'/config/security.inc.php') || is_writable(INCLUDE_DIR.'/config/security.inc.dist.php')) {
+    $error[] = "Your config files <b>SHOULD NOT be writable to this user</b>!";
+  }
+  // check if daemon can connect -> error
+  try {
+    if ($bitcoin->can_connect() !== true) {
+      $error[] = "Unable to connect to coin daemon using provided credentials";
+    }
+  } catch (Exception $e) {
+  }
+  // if coldwallet is not empty, check if the address is valid -> error
+  if (!empty($config['coldwallet']['address'])) {
+    try {
+      if ($bitcoin->can_connect() == true) {
+        $validate_cold_address = $bitcoin->validateaddress($config['coldwallet']['address']);
+        if (!$validate_cold_address['isvalid']) {
+          $error[] = "Your cold wallet address is <u>SET and INVALID</u>";
+        }
+      }
+    } catch (Exception $e) {
+    }
+  }
+  // if database connection fails -> error
+  $db_connect = new mysqli($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);
+  if (mysqli_connect_errno() || !array_key_exists('client_info', $db_connect)) {
+    $error[] = "Unable to connect to mysql using provided credentials";
+  }
+  if ($config['mc_antidos'] && !$config['memcache']['enabled']) {
+    $error[] = "mc_antidos is enabled and memcache is not, <u>memcache is required</u> to use this";
+  }
+  // poke stratum using gettingstarted details -> enotice
+  if (substr_count(strtolower(PHP_OS), 'nix') > 0) {
+    // unix *poke*
+    $socket = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
+    if ($socket !== false) {
+      $address = @gethostbyname($config['gettingstarted']['stratumurl']);
+      $result = @socket_connect($socket, $address, $config['gettingstarted']['stratumport']);
+      if ($result !== 1) {
+        $enotice[] = "We tried to poke your Stratum server using config->gettingstarted details but it didn't respond";
+      }
+      $close = @socket_close($socket);
+    }
+  } else {
+    // mac/windows *poke*
+    if (! $fp = @fsockopen($config['gettingstarted']['stratumurl'],$config['gettingstarted']['stratumport'],$errCode,$errStr,1)) {
+      $enotice[] = "We tried to poke your Stratum server using config->gettingstarted details but it didn't respond";
+    }
+    @fclose($fp);
+  }
+  
+  // security checks
+  // salts too short -> notice, salts default -> error
+  if ((strlen($config['SALT']) < 24) || (strlen($config['SALTY']) < 24) || $config['SALT'] == 'PLEASEMAKEMESOMETHINGRANDOM' || $config['SALTY'] == 'THISSHOULDALSOBERRAANNDDOOM') {
+    if ($config['SALT'] == 'PLEASEMAKEMESOMETHINGRANDOM' || $config['SALTY'] == 'THISSHOULDALSOBERRAANNDDOOM') {
+      $error[] = "You absolutely <u>SHOULD NOT leave your SALT or SALTY default</u> changing them will require registering again";
+    } else {
+      $notice[] = "SALT or SALTY is too short, they should be more than 24 characters and changing them will require registering again";
+    }
+  }
+  
+  // display the errors
+  foreach ($enotice as $en) {
+    $_SESSION['POPUP'][] = array('CONTENT' => $en, 'TYPE' => 'info');
+  }
+  if (!count($notice) && !count($error)) {
+    $_SESSION['POPUP'][] = array('CONTENT' => 'The config options we checked seem OK', 'TYPE' => 'success');
+  } else {
+    foreach ($notice as $n) {
+      $_SESSION['POPUP'][] = array('CONTENT' => $n, 'TYPE' => 'warning');
+    }
+    foreach ($error as $e) {
+      $_SESSION['POPUP'][] = array('CONTENT' => $e, 'TYPE' => 'errormsg');
+    }
+  }
+}
+
+?>
\ No newline at end of file
diff --git a/public/include/autoloader.inc.php b/public/include/autoloader.inc.php
index 5bf2652f..6cd887e5 100644
--- a/public/include/autoloader.inc.php
+++ b/public/include/autoloader.inc.php
@@ -1,7 +1,6 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+(SECURITY == "*)WT#&YHfd" && SECHASH_CHECK) ? die("public/index.php -> Set a new SECURITY value to continue") : 0;
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // SHA/Scrypt check
 if (empty($config['algorithm']) || $config['algorithm'] == 'scrypt') {
@@ -9,9 +8,13 @@ if (empty($config['algorithm']) || $config['algorithm'] == 'scrypt') {
 } else {
   $config['target_bits'] = 32;
 }
+
 // Default classes
 require_once(CLASS_DIR . '/debug.class.php');
 require_once(INCLUDE_DIR . '/lib/KLogger.php');
+if ($config['mysql_filter']) {
+  require_once(CLASS_DIR . '/strict.class.php');
+}
 require_once(INCLUDE_DIR . '/database.inc.php');
 require_once(INCLUDE_DIR . '/config/memcache_keys.inc.php');
 require_once(INCLUDE_DIR . '/config/error_codes.inc.php');
@@ -65,7 +68,4 @@ require_once(CLASS_DIR . '/api.class.php');
 require_once(INCLUDE_DIR . '/lib/Michelf/Markdown.php');
 require_once(INCLUDE_DIR . '/lib/scrypt.php');
 
-// Include our versions
-require_once(INCLUDE_DIR . '/version.inc.php');
-
 ?>
diff --git a/public/include/bootstrap.php b/public/include/bootstrap.php
new file mode 100644
index 00000000..98cf6d55
--- /dev/null
+++ b/public/include/bootstrap.php
@@ -0,0 +1,28 @@
+<?php 
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
+// Used for performance calculations
+$dStartTime = microtime(true);
+
+define('INCLUDE_DIR', BASEPATH . 'include');
+define('CLASS_DIR', INCLUDE_DIR . '/classes');
+define('PAGES_DIR', INCLUDE_DIR . '/pages');
+define('THEME_DIR', BASEPATH . 'templates');
+
+$quickstartlink = "<a href='https://github.com/MPOS/php-mpos/wiki/Quick-Start-Guide' title='MPOS Quick Start Guide'>Quick Start Guide</a>";
+
+// Include our configuration (holding defines for the requires)
+if (!include_once(BASEPATH . 'include/config/global.inc.dist.php')) die('Unable to load base global config - '.$quickstartlink);
+if (!@include_once(BASEPATH . 'include/config/global.inc.php')) die('Unable to load your global config - '.$quickstartlink);
+
+// load our security configs
+if (!include_once(BASEPATH . 'include/config/security.inc.dist.php')) die('Unable to load base security config - '.$quickstartlink);
+if (@file_exists(BASEPATH . 'include/config/security.inc.php')) include_once(BASEPATH . 'include/config/security.inc.php');
+
+// Our default template to load, pages can overwrite this later
+$master_template = 'master.tpl';
+
+// Load Classes, they name defines the $ variable used
+// We include all needed files here, even though our templates could load them themself
+require_once(INCLUDE_DIR . '/autoloader.inc.php');
+
+?>
\ No newline at end of file
diff --git a/public/include/classes/api.class.php b/public/include/classes/api.class.php
index 336ba2bc..be57fbbf 100644
--- a/public/include/classes/api.class.php
+++ b/public/include/classes/api.class.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 /**
  * Helper class for our API
diff --git a/public/include/classes/base.class.php b/public/include/classes/base.class.php
index d8bb23bb..385474f2 100644
--- a/public/include/classes/base.class.php
+++ b/public/include/classes/base.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 /**
  * Our base class that we extend our other classes from
@@ -40,6 +37,9 @@ class Base {
   public function setUser($user) {
     $this->user = $user;
   }
+  public function setSessionManager($session) {
+    $this->session = $session;
+  }
   public function setConfig($config) {
     $this->config = $config;
   }
diff --git a/public/include/classes/bitcoin.class.php b/public/include/classes/bitcoin.class.php
index f1512c70..01b2a71d 100644
--- a/public/include/classes/bitcoin.class.php
+++ b/public/include/classes/bitcoin.class.php
@@ -1,7 +1,5 @@
 <?php
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 /**
  * Bitcoin classes
diff --git a/public/include/classes/bitcoinwrapper.class.php b/public/include/classes/bitcoinwrapper.class.php
index b2167611..544cecff 100644
--- a/public/include/classes/bitcoinwrapper.class.php
+++ b/public/include/classes/bitcoinwrapper.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 /**
  * We use a wrapper class around BitcoinClient to add
@@ -76,4 +73,4 @@ class BitcoinWrapper extends BitcoinClient {
 }
 
 // Load this wrapper
-$bitcoin = new BitcoinWrapper($config['wallet']['type'], $config['wallet']['username'], $config['wallet']['password'], $config['wallet']['host'], DEBUG, $debug, $memcache);
+$bitcoin = new BitcoinWrapper($config['wallet']['type'], $config['wallet']['username'], $config['wallet']['password'], $config['wallet']['host'], $config['DEBUG'], $debug, $memcache);
diff --git a/public/include/classes/block.class.php b/public/include/classes/block.class.php
index 5f1668bd..52cbfebf 100644
--- a/public/include/classes/block.class.php
+++ b/public/include/classes/block.class.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Block extends Base {
   protected $table = 'blocks';
diff --git a/public/include/classes/csrftoken.class.php b/public/include/classes/csrftoken.class.php
index 2e8dc953..13e20955 100644
--- a/public/include/classes/csrftoken.class.php
+++ b/public/include/classes/csrftoken.class.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class CSRFToken Extends Base {
   public $valid = 0;
@@ -99,8 +97,8 @@ class CSRFToken Extends Base {
 $csrftoken = new CSRFToken();
 $csrftoken->setDebug($debug);
 $csrftoken->setMysql($mysqli);
-$csrftoken->setSalt(SALT);
-$csrftoken->setSalty(SALTY);
+$csrftoken->setSalt($config['SALT']);
+$csrftoken->setSalty($config['SALTY']);
 $csrftoken->setMail($mail);
 $csrftoken->setUser($user);
 $csrftoken->setToken($oToken);
diff --git a/public/include/classes/debug.class.php b/public/include/classes/debug.class.php
index 362a926d..de5c9435 100644
--- a/public/include/classes/debug.class.php
+++ b/public/include/classes/debug.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 /**
  * This file defines the debug class used in this site to enable
@@ -111,5 +108,5 @@ class Debug {
 }
 
 // Instantiate this class
-$debug = new Debug(DEBUG);
+$debug = new Debug($config['DEBUG']);
 ?>
diff --git a/public/include/classes/invitation.class.php b/public/include/classes/invitation.class.php
index 40399477..7acbf2ac 100644
--- a/public/include/classes/invitation.class.php
+++ b/public/include/classes/invitation.class.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Invitation extends Base {
   var $table = 'invitations';
diff --git a/public/include/classes/mail.class.php b/public/include/classes/mail.class.php
index 841c75b7..329989df 100644
--- a/public/include/classes/mail.class.php
+++ b/public/include/classes/mail.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+(!cfip()) ? header('HTTP/1.1 401 Unauthorized') : 0;
 
 class Mail extends Base {
   /**
diff --git a/public/include/classes/memcache_ad.class.php b/public/include/classes/memcache_ad.class.php
new file mode 100644
index 00000000..724c57d2
--- /dev/null
+++ b/public/include/classes/memcache_ad.class.php
@@ -0,0 +1,85 @@
+<?php
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
+
+class MemcacheAntiDos
+{
+  public $cache;
+  public $rate_limit_this_request = false;
+  public $rate_limit_api_request = false;
+  public $rate_limit_site_request = false;
+  public function __construct($config, &$memcache, $request='') {
+    $this->cache = $memcache;
+    // set our config options
+    $userORip = $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'];
+    // prep stuff we need to check this request
+    $key_md5 = $config['memcache']['keyprefix'].md5($userORip);
+    $request_data = $this->cache->get($key_md5);
+    $now = time();
+    $max_req_flush = max(array($config['mc_antidos']['flush_seconds_api'],$config['mc_antidos']['flush_seconds_site']));
+    // check the request
+    if (is_array($request_data)) {
+      // this request key already exists, update it
+      $request_data['la'] = $now;
+      if ($request == 'api') {
+        $request_data['ha'] += 1;
+        if ($config['mc_antidos']['ajax_hits_additive']) {
+          $request_data['hn'] += 1;
+        }
+      } else {
+        $request_data['hn'] += 1;
+      }
+      // not rate limited yet, update the rest of the object
+      if (($request_data['hn'] < $config['mc_antidos']['rate_limit_site']) && ($request_data['ha'] < $config['mc_antidos']['rate_limit_api'])) {
+        if (((($request_data['hnl'] + $config['mc_antidos']['flush_seconds_site']) <= $now) || ($request_data['hal'] + $config['mc_antidos']['flush_seconds_api']) <= $now) || (($request_data['la'] + $max_req_flush) <= $now)) {
+          // needs to be flushed & updated
+          $new = $this->getRequestBase();
+          $new['key'] = $key_md5;
+          $new['la'] = $now;
+          $new['hal'] = ((($request_data['hal'] + $config['mc_antidos']['flush_seconds_api']) <= $now)) ? $now : 1;
+          $new['hnl'] = ((($request_data['hnl'] + $config['mc_antidos']['flush_seconds_site']) <= $now)) ? $now : 1;
+          $this->cache->set($key_md5, $new, $config['memcache']['expiration']);
+          $this->rate_limit_api_request = ($request_data['ha'] >= $config['mc_antidos']['rate_limit_api']) ? true : false;
+          $this->rate_limit_site_request = ($request_data['hn'] >= $config['mc_antidos']['rate_limit_site']) ? true : false;
+        } else {
+          // no flush, just update
+          $new = $this->getRequestBase();
+          $new['key'] = $request_data['key'];
+          $new['la'] = time();
+          $new['ha'] = $request_data['ha'];
+          $new['hal'] = $request_data['hal'];
+          $new['hn'] = $request_data['hn'];
+          $new['hnl'] = $request_data['hnl'];
+          $this->cache->set($key_md5, $new, $config['memcache']['expiration']);
+          $this->rate_limit_api_request = ($request_data['ha'] >= $config['mc_antidos']['rate_limit_api']) ? true : false;
+          $this->rate_limit_site_request = ($request_data['hn'] >= $config['mc_antidos']['rate_limit_site']) ? true : false;
+        }
+      } else {
+        // too many hits, we should rate limit this
+        $this->rate_limit_api_request = ($request_data['ha'] >= $config['mc_antidos']['rate_limit_api']) ? true : false;
+        $this->rate_limit_site_request = ($request_data['hn'] >= $config['mc_antidos']['rate_limit_site']) ? true : false;
+      }
+    } else {
+      // doesn't exist for this request_key, create one
+      $new = $this->getRequestBase();
+      $new['key'] = $config['memcache']['keyprefix'].md5($userORip);
+      $new['la'] = time();
+      if ($request == 'api') {
+        $new['ha'] += 1;
+        if ($config['mc_antidos']['ajax_hits_additive']) {
+          $new['hn'] += 1;
+        }
+      } else {
+        $new['hn'] += 1;
+      }
+      $this->cache->set($key_md5, $new, $config['memcache']['expiration']);
+      $this->rate_limit_api_request = false;
+      $this->rate_limit_site_request = false;
+    }
+  }
+  public function getRequestBase() {
+    $new = array('key' => '','la' => 0,'hn' => 0,'hnl' => 0,'ha' => 0,'hal' => 0);
+    return $new;
+  }
+}
+
+?>
\ No newline at end of file
diff --git a/public/include/classes/memcached.class.php b/public/include/classes/memcached.class.php
index 2f431337..55a66c67 100644
--- a/public/include/classes/memcached.class.php
+++ b/public/include/classes/memcached.class.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 /**
  * A wrapper class which provides compatibility between Memcached and Memcache
diff --git a/public/include/classes/monitoring.class.php b/public/include/classes/monitoring.class.php
index 04a1324b..3cd84cba 100644
--- a/public/include/classes/monitoring.class.php
+++ b/public/include/classes/monitoring.class.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Monitoring extends Base {
    protected $table = 'monitoring';
diff --git a/public/include/classes/news.class.php b/public/include/classes/news.class.php
index f71ab7d8..bccc6cab 100644
--- a/public/include/classes/news.class.php
+++ b/public/include/classes/news.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class News extends Base {
   protected $table = 'news';
diff --git a/public/include/classes/notification.class.php b/public/include/classes/notification.class.php
index dd467634..66887e34 100644
--- a/public/include/classes/notification.class.php
+++ b/public/include/classes/notification.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Notification extends Mail {
   var $table = 'notifications';
diff --git a/public/include/classes/payout.class.php b/public/include/classes/payout.class.php
index a83d87e2..5255dbde 100644
--- a/public/include/classes/payout.class.php
+++ b/public/include/classes/payout.class.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Payout Extends Base {
   protected $table = 'payouts';
diff --git a/public/include/classes/roundstats.class.php b/public/include/classes/roundstats.class.php
index bfb7707f..81c8f1d1 100644
--- a/public/include/classes/roundstats.class.php
+++ b/public/include/classes/roundstats.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class RoundStats extends Base {
   private $tableTrans = 'transactions';
diff --git a/public/include/classes/setting.class.php b/public/include/classes/setting.class.php
index 82a889af..76ce7097 100644
--- a/public/include/classes/setting.class.php
+++ b/public/include/classes/setting.class.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Setting extends Base {
   protected $table = 'settings';
diff --git a/public/include/classes/share.class.php b/public/include/classes/share.class.php
index 1c8f9951..0d11c4d5 100644
--- a/public/include/classes/share.class.php
+++ b/public/include/classes/share.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Share Extends Base {
   protected $table = 'shares';
diff --git a/public/include/classes/statistics.class.php b/public/include/classes/statistics.class.php
index f45304f6..ad513151 100644
--- a/public/include/classes/statistics.class.php
+++ b/public/include/classes/statistics.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 
 /*
diff --git a/public/include/classes/statscache.class.php b/public/include/classes/statscache.class.php
index bdcbbabd..c17d8a74 100644
--- a/public/include/classes/statscache.class.php
+++ b/public/include/classes/statscache.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 /**
  * A wrapper class used to store values transparently in memcache
diff --git a/public/include/classes/strict.class.php b/public/include/classes/strict.class.php
new file mode 100644
index 00000000..26576bd1
--- /dev/null
+++ b/public/include/classes/strict.class.php
@@ -0,0 +1,39 @@
+<?php 
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
+
+class mysqli_strict extends mysqli {
+  public function bind_param($paramTypes) {
+    if (!is_string($paramTypes)) {
+      return false;
+    } else {
+      $args = func_get_args();
+      $acopy = $args;
+      $nargs = count($args);
+      for($i=1;$i<$nargs;$i++) {
+        $ipos = ($i-1);
+        $pos = substr($paramTypes, $ipos, 1);
+        switch ($pos) {
+        	case 's':
+        	  $return_str = filter_var($acopy[$i], FILTER_VALIDATE_STRING, FILTER_NULL_ON_FAILURE);
+        	  $acopy[$i] = ($return_str !== null) ? (string)$return_str : null;
+        	  break;
+        	case 'i':
+        	  $return_int = filter_var($acopy[$i], FILTER_VALIDATE_INT, FILTER_NULL_ON_FAILURE);
+        	  $acopy[$i] = ($return_int !== null) ? (int)$return_int : null;
+        	  break;
+        	case 'd':
+        	  $return_dbl = filter_var($acopy[$i], FILTER_VALIDATE_FLOAT, FILTER_NULL_ON_FAILURE);
+        	  $acopy[$i] = ($return_dbl !== null) ? (float)$return_dbl : null;
+        	  break;
+        	case 'b':
+        	  $return_bool = filter_var($acopy[$i], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
+        	  $acopy[$i] = ($return_bool !== null) ? (bool)$return_bool : null;
+        	  break;
+        }
+      }
+      return (in_array(null, $acopy));
+    }
+  }
+}
+
+?>
\ No newline at end of file
diff --git a/public/include/classes/template.class.php b/public/include/classes/template.class.php
index fe03fe7b..b297c528 100644
--- a/public/include/classes/template.class.php
+++ b/public/include/classes/template.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Template extends Base {
   protected $table = 'templates';
diff --git a/public/include/classes/token.class.php b/public/include/classes/token.class.php
index 4bcfc033..3b64ee28 100644
--- a/public/include/classes/token.class.php
+++ b/public/include/classes/token.class.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Token Extends Base {
   protected $table = 'tokens';
diff --git a/public/include/classes/tokentype.class.php b/public/include/classes/tokentype.class.php
index 8befe7f0..57b044b7 100644
--- a/public/include/classes/tokentype.class.php
+++ b/public/include/classes/tokentype.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Token_Type Extends Base {
   protected $table = 'token_types';
@@ -36,6 +33,18 @@ class Token_Type Extends Base {
       return $result->fetch_all(MYSQLI_ASSOC);
     return $this->sqlError();
   }
+  
+  /**
+   * Fetch all tokens - used for unit tests
+   * @param none
+   * @return array All tokentypes
+   **/
+  public function getAll() {
+    $stmt = $this->mysqli->prepare("SELECT * FROM $this->table");
+    if ($this->checkStmt($stmt) && $stmt->execute() && $result = $stmt->get_result())
+      return $result->fetch_all(MYSQLI_ASSOC);
+    return $this->sqlError();
+  }
 }
 
 $tokentype = new Token_Type();
diff --git a/public/include/classes/tools.class.php b/public/include/classes/tools.class.php
index 0c573369..e00b370b 100644
--- a/public/include/classes/tools.class.php
+++ b/public/include/classes/tools.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 /**
  * Helper class for our cronjobs
diff --git a/public/include/classes/transaction.class.php b/public/include/classes/transaction.class.php
index 060e394d..24fe9034 100644
--- a/public/include/classes/transaction.class.php
+++ b/public/include/classes/transaction.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Transaction extends Base {
   protected $table = 'transactions';
diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php
index c81fabc7..aa2b0319 100644
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class User extends Base {
   protected $table = 'accounts';
@@ -46,6 +43,9 @@ class User extends Base {
   public function getUserIp($id) {
     return $this->getSingle($id, 'loggedIp', 'id');
   }
+  public function getLastLogin($id) {
+    return $this->getSingle($id, 'last_login', 'id');
+  }
   public function getEmail($email) {
     return $this->getSingle($email, 'email', 'email', 's');
   }
@@ -141,9 +141,13 @@ class User extends Base {
       return false;
     }
     if ($this->checkUserPassword($username, $password)) {
-      $this->updateLoginTimestamp($this->getUserId($username));
-      $this->createSession($username);
-      if ($this->setUserIp($this->getUserId($username), $_SERVER['REMOTE_ADDR'])) {
+      $uid = $this->getUserId($username);
+      $lastLoginTime = $this->getLastLogin($uid);
+      $this->updateLoginTimestamp($uid);
+      $getIPAddress = $this->getUserIp($uid);
+      $setIPAddress = $this->setUserIp($uid, $_SERVER['REMOTE_ADDR']);
+      $this->createSession($username, $getIPAddress, $lastLoginTime);
+      if ($setIPAddress) {
         // send a notification if success_login is active
         $uid = $this->getUserId($username);
         $notifs = new Notification();
@@ -493,9 +497,12 @@ class User extends Base {
    * @param username string Username to create session for
    * @return none
    **/
-  private function createSession($username) {
+  private function createSession($username, $lastIP='', $lastLoginTime='') {
     $this->debug->append("STA " . __METHOD__, 4);
     $this->debug->append("Log in user to _SESSION", 2);
+    if (!empty($lastIP) && (!empty($lastLoginTime))) {
+      $_SESSION['last_ip_pop'] = array($lastIP, $lastLoginTime);
+    }
     session_regenerate_id(true);
     $_SESSION['AUTHENTICATED'] = '1';
     // $this->user from checkUserPassword
@@ -517,7 +524,7 @@ class User extends Base {
    * @param none
    * @return true
    **/
-  public function logoutUser($from="") {
+  public function logoutUser() {
     $this->debug->append("STA " . __METHOD__, 4);
     // Unset all of the session variables
     $_SESSION = array();
@@ -530,10 +537,11 @@ class User extends Base {
     session_destroy();
     // Enforce generation of a new Session ID and delete the old
     session_regenerate_id(true);
+    
     // Enforce a page reload and point towards login with referrer included, if supplied
-    $port = ($_SERVER["SERVER_PORT"] == "80" or $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
-    $location = @$_SERVER['HTTPS'] ? 'https://' . $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'] : 'http://' . $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'];
-    if (!empty($from)) $location .= '?page=login&to=' . urlencode($from);
+    $port = ($_SERVER["SERVER_PORT"] == "80" || $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
+    $pushto = $_SERVER['SCRIPT_NAME'].'?page=login';
+    $location = (@$_SERVER['HTTPS'] == 'on') ? 'https://' . $_SERVER['SERVER_NAME'] . $port . $pushto : 'http://' . $_SERVER['SERVER_NAME'] . $port . $pushto;
     // if (!headers_sent()) header('Location: ' . $location);
     exit('<meta http-equiv="refresh" content="0; url=' . $location . '"/>');
   }
@@ -797,12 +805,12 @@ class User extends Base {
    * @param none
    * @return bool
    **/
-  public function isAuthenticated($logout=true) {
+public function isAuthenticated($logout=true) {
     $this->debug->append("STA " . __METHOD__, 4);
     if (@$_SESSION['AUTHENTICATED'] == true &&
-        !$this->isLocked($_SESSION['USERDATA']['id']) &&
-        $this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR']
-      ) return true;
+    !$this->isLocked($_SESSION['USERDATA']['id']) &&
+    $this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR']
+    ) return true;
     // Catchall
     if ($logout == true) $this->logoutUser($_SERVER['REQUEST_URI']);
     return false;
@@ -846,7 +854,7 @@ class User extends Base {
 $user = new User();
 $user->setDebug($debug);
 $user->setMysql($mysqli);
-$user->setSalt(SALT);
+$user->setSalt($config['SALT']);
 $user->setSmarty($smarty);
 $user->setConfig($config);
 $user->setMail($mail);
diff --git a/public/include/classes/worker.class.php b/public/include/classes/worker.class.php
index 9076cc3c..b661bd22 100644
--- a/public/include/classes/worker.class.php
+++ b/public/include/classes/worker.class.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 class Worker extends Base {
   protected $table = 'pool_worker';
diff --git a/public/include/config/admin_settings.inc.php b/public/include/config/admin_settings.inc.php
index 7e72797d..27e95c3b 100644
--- a/public/include/config/admin_settings.inc.php
+++ b/public/include/config/admin_settings.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 $aThemes = $template->getThemes();
 
diff --git a/public/include/config/error_codes.inc.php b/public/include/config/error_codes.inc.php
index 9083cf3d..50c4db24 100644
--- a/public/include/config/error_codes.inc.php
+++ b/public/include/config/error_codes.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 $aErrorCodes['OK'] = 'OK';
 $aErrorCodes['E0001'] = 'Out of Order Share Detected';
diff --git a/public/include/config/global.inc.dist.php b/public/include/config/global.inc.dist.php
index 1860f0b4..9a7c45eb 100644
--- a/public/include/config/global.inc.dist.php
+++ b/public/include/config/global.inc.dist.php
@@ -1,58 +1,38 @@
 <?php
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 /**
  * Do not edit this unless you have confirmed that your config has been updated!
- * This is used in the version check to ensure you run the latest version of the configuration file.
- * Once you upgraded your config, change the version here too.
+ *  https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-config-version
  **/
-$config['version'] = '0.0.6';
-
-// Our include directory for additional features
-define('INCLUDE_DIR', BASEPATH . 'include');
-
-// Our class directory
-define('CLASS_DIR', INCLUDE_DIR . '/classes');
-
-// Our pages directory which takes care of
-define('PAGES_DIR', INCLUDE_DIR . '/pages');
-
-// Our theme folder holding all themes
-define('THEME_DIR', BASEPATH . 'templates');
-
-// Set debugging level for our debug class
-// Values valid from 0 (disabled) to 5 (most verbose)
-define('DEBUG', 0);
-
-// SALT used to hash passwords
-define('SALT', 'PLEASEMAKEMESOMETHINGRANDOM');
-define('SALTY', 'THISSHOULDALSOBERRAANNDDOOM');
+$config['version'] = '0.0.7';
 
 /**
-  * Underlying coin algorithm that you are mining on. Set this to whatever your coin needs:
-  *
-  * Options:
-  *   sha256d    :  SHA coins like Bitcoin
-  *   scrypt     :  Scrypt based coins like Litecoin
-  * Default:
-  *   scrypt   :  Scrypt is default
+ * Unless you disable this, we'll do a quick check on your config first.
+ *  https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-config-check
+ */
+$config['skip_config_tests'] = false;
+
+/**
+ * Defines
+ *  Debug setting and salts for hashing passwords
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-defines--salts
+ */
+$config['DEBUG'] = 0;
+$config['SALT'] = 'PLEASEMAKEMESOMETHINGRANDOM';
+$config['SALTY'] = 'THISSHOULDALSOBERRAANNDDOOM';
+
+/**
+  * Coin Algorithm
+  *  Algorithm used by this coin, sha256d or scrypt
+  *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-algorithm
   **/
 $config['algorithm'] = 'scrypt';
 
 /**
  * Database configuration
- *
- * A MySQL database backend is required for MPOS.
- * Also ensure the database structure is imported!
- * The SQL file should be included in this project under the `sql` directory
- *
- * Default:
- *   host     =  'localhost'
- *   port     =  3306
- *   user     =  'someuser'
- *   pass     =  'somepass'
- *   name     =  'mpos'
+ *  MySQL database configuration
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-database-configuration
  **/
 $config['db']['host'] = 'localhost';
 $config['db']['user'] = 'someuser';
@@ -61,17 +41,9 @@ $config['db']['port'] = 3306;
 $config['db']['name'] = 'mpos';
 
 /**
- * Local wallet RPC configuration
- *
- * MPOS uses the RPC backend to fetch transactions, blocks
- * and various other things. They need to match your coind RPC
- * configuration.
- *
- * Default:
- *   type      =  'http'
- *   host      =  'localhost:19334'
- *   username  =  'testnet'
- *   password  =  'testnet'
+ * Local wallet RPC
+ *  RPC configuration for your daemon/wallet
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-local-wallet-rpc
  **/
 $config['wallet']['type'] = 'http';
 $config['wallet']['host'] = 'localhost:19334';
@@ -79,93 +51,18 @@ $config['wallet']['username'] = 'testnet';
 $config['wallet']['password'] = 'testnet';
 
 /**
- * Payout of liquid assets
- *
- * Explanation:
- *   Running pools, especially those with active fees, will build up a good
- *   amount of liquid assets that can be used by pool operators. If you wish
- *   to automatically send your assets to a offline wallet, set your account
- *   address, reserves and thresholds here.
- *
- * Options:
- *   address    :  The address of the wallet to the address you'd like to receive the coins in
- *   reserve    :  The amount you'd like to remain in the wallet. Recommended is at least 1 block value
- *   threshold  :  The amount of coins you'd like to send per batch minimum. Once exceeded, this is sent
- *                 to the offline wallet address specified.
- * Default:
- *   addresss   :  empty
- *   reserve    :  50
- *   threshold  :  25
+ * Cold Wallet / Liquid Assets
+ *  Automatically send liquid assets to a cold wallet
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-liquid-assets--cold-wallet
  **/
 $config['coldwallet']['address'] = '';
 $config['coldwallet']['reserve'] = 50;
 $config['coldwallet']['threshold'] = 5;
 
-/**
- * E-mail confirmations for user actions
- *
- * Explanation:
- *   To increase security for users, account detail changes can require
- *   an e-mail confirmation prior to performing certain actions.
- *
- * Options:
- *   enabled   :  Whether or not to require e-mail confirmations
- *   details   :  Require confirmation to change account details
- *   withdraw  :  Require confirmation to manually withdraw/payout
- *   changepw  :  Require confirmation to change password
- *
- * Default:
- *   enabled   =  true
- *   details   =  true
- *   withdraw  =  true
- *   changepw  =  true
- */
-$config['twofactor']['enabled'] = true;
-$config['twofactor']['options']['details'] = true;
-$config['twofactor']['options']['withdraw'] = true;
-$config['twofactor']['options']['changepw'] = true;
-
-/**
- * CSRF protection
- *
- * Explanation:
- *   To help protect against CSRF, we can generate a hash that changes every minute
- *   and is unique for each user/IP and page or use, and check against that when a
- *   form is submitted.
- *
- * Options:
- *   enabled          =   Whether or not we will generate & check for valid CSRF tokens
- * Default:
- *   enabled          =   true
- */
-$config['csrf']['enabled'] = true;
-
-/**
- * Lock account after maximum failed logins
- *
- * Explanation:
- *   To avoid accounts being hacked by brute force attacks,
- *   set a maximum amount of failed login or pin entry attempts before locking
- *   the account. They will need to contact site support to re-enable the account.
- *
- *   This also applies for invalid PIN entries, which is covered by the pin option.
- *
- *   Workers are not affected by this lockout, mining will continue as usual.
- *
- * Default:
- *   login  =  3
- *   pin    =  3
- **/
-$config['maxfailed']['login'] = 3;
-$config['maxfailed']['pin'] = 3;
-
 /**
  * Getting Started Config
- *
- * This is displayed on GettingStarted Page
- * to make it more dynamic
- *
- *
+ *  Shown to users in the 'Getting Started' section
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-getting-started
  **/
 $config['gettingstarted']['coinname'] = 'Litecoin';
 $config['gettingstarted']['coinurl'] = 'http://www.litecoin.org';
@@ -173,401 +70,163 @@ $config['gettingstarted']['stratumurl'] = '';
 $config['gettingstarted']['stratumport'] = '3333';
 
 /**
- * API configuration to fetch prices for set currency
- *
- * Explanation:
- *   MPOS will try to fetch the current exchange rates
- *   from this API URL/target. Currently btc-e and coinchoose
- *   are supported in MPOS. If you want to remove the trade
- *   header just set currency to an empty string.
- *
- * Default (btc-e.com):
- *   url       =  `https://btc-e.com`
- *   target    =  `/api/2/ltc_usd/ticker`
- *   currency  =  `USD`
- *
- * Optional (coinchoose.com):
- *   url       =  `http://www.coinchoose.com`
- *   target    =  `/api.php`
- *   currency  =  `BTC`
- *
- * Optional (cryptsy.com):
- *   url       =  `http://pubapi.cryptsy.com`
- *   currency  =  `BTC`
- *   target    =  `/api.php?method=marketdata`
+ * Ticker API
+ *  Fetch exchange rates via an API
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-ticker-api
  **/
 $config['price']['url'] = 'https://btc-e.com';
 $config['price']['target'] = '/api/2/ltc_usd/ticker';
 $config['price']['currency'] = 'USD';
 
 /**
- * Automatic payout thresholds
- *
- * These values define the min and max settings
- * that can be entered by a user.
- * Defaults:
- *   `min` = `1`
- *   `max` = `250`
+ * Automatic Payout Thresholds
+ *  Minimum and Maximum auto payout amount
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-automatic-payout-thresholds
  **/
 $config['ap_threshold']['min'] = 1;
 $config['ap_threshold']['max'] = 250;
 
 /**
  * Donation thresholds
- *
- * You can define a min and max values for you users
- * donation settings here.
- *
- * Defaults:
- *   `min` = `1`
+ *  Minimum donation amount in percent
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-donation-thresholds
  **/
 $config['donate_threshold']['min'] = 1;
 
 /**
- * Account specific settings
- *
- * Explanation
- *   Invitations will allow your users to invite new members to join the pool.
- *   After sending a mail to the invited user, they can register using the token
- *   created. Invitations can be enabled and disabled through the admin panel.
- *   Sent invitations are listed on the account invitations page.
- *
- *   You can limit the number of registrations send per account via configuration
- *   variable.
- *
- *  Options:
- *    count          :  Maximum invitations a user is able to send
- *
- *  Defaults:
- *    count          :  5
+ * Account Specific Settings
+ *  Settings for each user account
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-account-specific-settings
  **/
 $config['accounts']['invitations']['count'] = 5;
 
-// Currency system used in this pool, default: `LTC`
+/**
+ * Currency
+ *  Shorthand name for the currency
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-currency
+ */
 $config['currency'] = 'LTC';
 
 /**
- * Coin Target in seconds
- *
- * Explanation
- *   Target time for coins to be generated
- *
- *   Fastcoin: 12 seconds
- *   Litecoin: 2,5 minutes = 150 seconds
- *   Feathercoin: 2,5 minutes = 150 seconds
- *   Bitcoin: 10 minutes = 600 seconds
- *
+ * Coin Target
+ *  Target time for coins to be generated
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-coin-target
  **/
 $config['cointarget'] = '150';
 
 /**
- * Diff change every X Blocks
- *
- * Explanation
- *   Amount of Blocks until Difficulty change
- *
- *   Fastcoin: 300 Blocks
- *   Litecoin: 2016 Blocks
- *   Bitcoin: 2016 Blocks
- *
+ * Coin Diff Change
+ *  Amount of blocks between difficulty changes
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-coin-diff-change
  **/
 $config['coindiffchangetarget'] = 2016;
 
 /**
- * Default transaction fee to apply to user transactions
- *
- * Explanation
- *   The coin daemon applies transaction fees to young coins.
- *   Since we are unable to find out what the exact fee was we set
- *   a default value here which is applied to both manual and auto payouts.
- *   If this is not set, no fee is applied in the transactions history but
- *   the user might still see them when the coins arrive.
- *   You can set two different transaction fees for manual and auto payouts.
- *
- * Default:
- *   txfee_auto   =  0.1
- *   txfee_manual   =  0.1
- *
+ * TX Fees
+ *  Fees applied to transactions
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-tx-fees
  **/
 $config['txfee_auto'] = 0.1;
 $config['txfee_manual'] = 0.1;
 
-// Payout a block bonus to block finders, default: 0 (disabled)
-// This bonus is paid by the pool operator, it is not deducted from the block payout!
+/**
+ * Block Bonus
+ *  Bonus in coins of block bonus
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-block-bonus
+ */
 $config['block_bonus'] = 0;
 
 
 /**
- * Payout system in use
- *
- * This will modify some templates and activate the
- * appropriate crons. Only ONE payout system at a time
- * is supported!
- *
- * Available options:
- *   prop: Proportional payout system
- *   pps : Pay Per Share payout system
- *   pplns : Pay Per Last N Shares payout system
- *
- * Default:
- *   prop
-**/
+ * Payout System
+ *  Payout system chosen
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-payout-system
+ **/
 $config['payout_system'] = 'prop';
 
 /**
- * Round purging
- *
- * Explanation:
- *   As soon as a round is finished, shares of that rate are archived (see below)
- *   and deleted from the `shares` table. Due to a large amount of shares in a
- *   single round, this can take a very long time. To reduce server load and allow
- *   other systems to access the DB during this high-load time, the DELETE
- *   calls are being limited to a number of rows. Then the process sleeps and
- *   continues to delete shares until all shares have been purged.
- *
- *   You can adjust some purging settings here in order to improve your overall
- *   site performance during round ends. Keep in mind that decreasing shares/time
- *   will make the cron run longer but at least keeps your site active. Vice versa
- *   higher numbers allow for a faster deletion but might affect the live site.
- *
- *   This system is also used when purging archived shares.
- *
- * Available Options:
- *   sleep   :  Time to sleep between delete calls
- *   shares  :  How many shares to delete at one time
- *
- * Default:
- *   sleep   :  5 seconds
- *   shares  :  500000
+ * Round Purging
+ *  Round share purging configuration
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-round-purging
  **/
 $config['purge']['sleep'] = 1;
 $config['purge']['shares'] = 25000;
 
 /**
- * Archiving configuration for debugging
- *
- * Explanation:
- *   By default, we don't need to archive for a long time. PPLNS and Hashrate
- *   calculations rely on this archive, but all shares past a certain point can
- *   safely be deleted.
- *
- *   To ensure we have enough shares on stack for PPLNS, this
- *   is set to the past 10 rounds. Even with lucky ones in between those should
- *   fit the PPLNS target. On top of that, even if we have more than 10 rounds,
- *   we still keep the last maxage shares to ensure we can calculate hashrates.
- *   Both conditions need to be met in order for shares to be purged from archive.
- *
- *   Proportional mode will only keep the past 24 hours. These are required for
- *   hashrate calculations to work past a round, hence 24 hours was selected as
- *   the default. You may want to increase the time for debugging, then add any
- *   integer reflecting minutes of shares to keep.
- *
- * Availabe Options:
- *   maxrounds  :  PPLNS, keep shares for maxrounds
- *   maxage     :  PROP and PPLNS, delete shares older than maxage minutes
- *
- * Default:
- *   maxrounds  =  10
- *   maxage     =  60 * 24   (24h)
+ * Share Archiving
+ *  Share archiving configuration details
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-archiving
  **/
 $config['archive']['maxrounds'] = 10; 
 $config['archive']['maxage'] = 60 * 24; 
 
-// Pool fees applied to users in percent, default: 0 (disabled)
+
+/**
+ * Pool Fees
+ *  Fees applied to users
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-pool-fees
+ */
 $config['fees'] = 0;
 
 /**
-  *  PPLNS requires some settings to run properly. First we need to define
-  *  a default shares count that is applied if we don't have a proper type set.
-  *  Different dynamic types can be applied, or you can run a fixed scheme.
-  *
-  *  Explanation
-  *
-  *   PPLNS can run on two different payouts: fixed and blockavg. Each one
-  *   defines a different PPLNS target.
-  *
-  *   Fixed means we will be looking at the shares setup in the default
-  *   setting. There is no automatic adjustments to the PPLNS target,
-  *   all users will be paid out proportionally to that target.
-  *
-  *   Blockavg will look at the last blockcount blocks shares and take
-  *   the average as the PPLNS target. This will be automatically adjusted
-  *   when difficulty changes and more blocks are available. This keeps the
-  *   target dynamic but still traceable.
-  *
-  *   If you use the fixed type it will use $config['pplns']['shares']['default']
-  *   for target calculations, if you use blockavg type it will use 
-  *   $config['pplns']['blockavg']['blockcount'] blocks average for target
-  *   calculations.
-  *
-  *   default     :  Default target shares for PPLNS
-  *   type        :  Payout type used in PPLNS
-  *   blockcount  :  Amount of blocks to check for avg shares
-  *
-  *  Available Options:
-  *   default     :  amount of shares, integeger
-  *   type        :  blockavg or fixed
-  *   blockcount  :  amount of blocks, any integer
-  *
-  *  Defaults:
-  *   default     =  4000000
-  *   type        =  `blockavg`
-  *   blockcount  =  10
-  **/
-/**
- * $config['pplns']['shares']['type'] = 'dynamic';
- * Dynamic target adjustment allows the blockavg target to adjust faster to share counts
- * while still tracking round share averages by using a percentage of the current round shares
- * to alter the pplns blockavg target this is useful with the nature of many alt coins low and fast 
- * adjusting difficulties and quick round times 
- * reverse_payout is useful to even out payouts for fast round times when even steady miners 
- * are missing share submissions for the current round
-**/
+ * PPLNS
+ *  Pay Per Last N Shares
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-pplns-settings
+ */
 $config['pplns']['shares']['default'] = 4000000;
 $config['pplns']['shares']['type'] = 'blockavg';
 $config['pplns']['blockavg']['blockcount'] = 10;
-$config['pplns']['reverse_payout'] = false;  // add user shares from archive even if user not in current round
-$config['pplns']['dynamic']['percent'] = 30; // percentage of round shares factored into block average when using dynamic type
-
-// Pool target difficulty as set in pushpoold configuration file
-// Please also read this for stratum: https://github.com/TheSerapher/php-mpos/wiki/FAQ
-$config['difficulty'] = 20;
-
+$config['pplns']['reverse_payout'] = false;
+$config['pplns']['dynamic']['percent'] = 30;
 
 /**
- * This defines how rewards are paid to users.
- *
- * Explanation:
- *
- *  Proportional + PPLNS Payout System
- *   When running a pool on fixed mode, each block will be paid
- *   out as defined in `reward`. If you wish to pass transaction
- *   fees inside discovered blocks on to user, set this to `block`.
- *   This is really helpful for altcoins with dynamic block values!
- *
- *  PPS Payout System
- *   If set to `fixed`, all PPS values are based on the `reward` setting.
- *   If you set it to `block` you will calculate the current round based
- *   on the previous block value. The idea is to pass the block of the
- *   last round on to the users. If no previous block is found, PPS value
- *   will fall back to the fixed value set in `reward`. Ensure you don't
- *   overpay users in the first round!
- *
- * Available options:
- *  reward_type:
- *   fixed : Fixed value according to `reward` setting
- *   block : Dynamic value based on block amount
- *  reward:
- *   float value : Any value of your choice but should reflect base block values
- *
- * Default:
- *   reward_type  = `fixed`
- *   reward       = 50
- *
+ * Difficulty
+ *  Difficulty setting for stratum/pushpool
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-pool-target-difficulty
+ */
+$config['difficulty'] = 20;
+
+/**
+ * Block Reward
+ *  Block reward configuration details
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-reward-settings
  **/
 $config['reward_type'] = 'block';
 $config['reward'] = 50;
 
-// Confirmations per block required to credit transactions, default: 120
-// Do NOT touch this unless you know what you are doing! Please check your coin for the
-// appropriate value here, but most should work with this.
+/**
+ * Confirmations
+ *  Credit and Network confirmation settings
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-confirmations
+ */
 $config['confirmations'] = 120;
-// Confirmations per block required in network to confirm its transactions, default: 120
-// Do NOT touch this unless you know what you are doing! Please check your coin for the
-// appropriate value here, but most should work with this.
 $config['network_confirmations'] = 120;
 
- /**
- * Available pps options:
- *  reward_type:
- *   fixed : Fixed value according to `reward` setting
- *   blockavg : Dynamic value based on average of x number of block rewards
- *   block : Dynamic value based on LAST block amount
- *  reward:
- *   float value : Any value of your choice but should reflect base block values
- *   blockcount  :  amount of blocks to average, any integer
- * Default:
- *   pps_reward_type  = `fixed` default $config['pps']['reward']['default']
- *   reward       = 50
- *
+/**
+ * PPS
+ *  Pay Per Share configuration details
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-pps-settings
  **/
 $config['pps']['reward']['default'] = 50;
 $config['pps']['reward']['type'] = 'blockavg';
 $config['pps']['blockavg']['blockcount'] = 10;
 
 /**
- * Memcache configuration
- *
- * To disable memcache set option $config['memcache']['enabled'] = false
- * After disable memcache installation of memcache is not required.
- *
- * Please note that a memcache is greatly increasing performance
- * when combined with the `statistics.php` cronjob. Disabling this
- * is not recommended in a live environment!
- *
- * Explanations
- *   enabled     :   Disable (false) memcache for debugging or enable (true) it
- *   host        :   Host IP or hostname
- *   port        :   memcache port
- *   keyprefix   :   Must be changed for multiple MPOS instances on one host
- *   expiration  :   Default expiration time in seconds of all cached keys.
- *                   Increase if caches expire too fast.
- *   splay       :   Default randomizer for expiration times.
- *                   This will spread expired keys across `splay` seconds.
- *
- * Default:
- *   enabled     =  `true`
- *   host        =  `localhost`
- *   port        =  11211
- *   keyprefix   =  `mpos_`
- *   expiration  =  90
- *   splay       =  15
+ * Memcache
+ *  Memcache configuration details
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-memcache
  **/
 $config['memcache']['enabled'] = true;
 $config['memcache']['host'] = 'localhost';
 $config['memcache']['port'] = 11211;
-$config['memcache']['keyprefix'] = 'mpos_';
+$config['memcache']['keyprefix'] = 'mpos_'.$config['currency'].'_';
 $config['memcache']['expiration'] = 90;
 $config['memcache']['splay'] = 15;
 
-
 /**
- * Cookie configuration
- *
- * You can configure the cookie behaviour to secure your cookies more than the PHP defaults
- *
- * For multiple installations of MPOS on the same domain you must change the cookie path.
- *
- * Explanation:
- * duration:
- *   the amount of time, in seconds, that a cookie should persist in the users browser.
- *   0 = until closed; 1440 = 24 minutes. Check your php.ini 'session.gc_maxlifetime' value
- *   and ensure that it is at least the duration specified here.
- *
- * domain:
- *   the only domain name that may access this cookie in the browser
- *
- * path:
- *   the highest path on the domain that can access this cookie; i.e. if running two pools
- *   from a single domain you might set the path /ltc/ and /ftc/ to separate user session
- *   cookies between the two.
- *
- * httponly:
- *   marks the cookie as accessible only through the HTTP protocol. The cookie can't be
- *   accessed by scripting languages, such as JavaScript. This can help to reduce identity
- *   theft through XSS attacks in most browsers.
- *
- * secure:
- *   marks the cookie as accessible only through the HTTPS protocol. If you have a SSL
- *   certificate installed on your domain name then this will stop a user accidentally
- *   accessing the site over a HTTP connection, without SSL, exposing their session cookie.
- *
- * Default:
- *   duration = '1440'
- *   domain   = ''
- *   path     = '/'
- *   httponly = true
- *   secure   = false
+ * Cookies
+ *  Cookie configuration details
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-cookies
  **/
 $config['cookie']['duration'] = '1440';
 $config['cookie']['domain'] = '';
@@ -576,50 +235,18 @@ $config['cookie']['httponly'] = true;
 $config['cookie']['secure'] = false;
 
 /**
- * Enable or disable the Smarty cache
- *
- * Explanation:
- *   Smarty implements a file based cache for all HTML output generated
- *   from dynamic scripts. It can be enabled to cache the HTML data on disk,
- *   future request are served from those cache files.
- *
- *   This may or may not work as expected, in general Memcache is used to cache
- *   all data so rendering the page should not take too long anyway.
- *
- *   You can test this out and enable (1) this setting but it's not guaranteed to
- *   work with MPOS.
- *
- *   Ensure that the folder `templates/cache` is writeable by the web server!
- *
- *   cache           =  Enable/Disable the cache
- *   cache_lifetime  =  Time to keep files in seconds before updating them
- *
- *  Options:
- *    cache:
- *      0  =  disabled
- *      1  =  enabled
- *    cache_lifetime:
- *      time in seconds
- *
- *  Defaults:
- *    cache           =  0, disabled
- *    cache_lifetime  =  30 seconds
+ * Smarty Cache
+ *  Enable smarty cache and cache length
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-smarty-cache
  **/
 $config['smarty']['cache'] = 0;
 $config['smarty']['cache_lifetime'] = 30;
 
 /**
- * System load setting
- *
- * This will disable loading of some API calls in case the system
- * loads exceeds the defined max setting. Useful to temporarily suspend
- * live statistics on a server that is too busy to deal with requests.
- *
- * Options
- *   max    =  float, maximum system load
- *
- * Defaults:
- *   max    =  10.0
+ * System load
+ *  Disable some calls when high system load
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-system-load
  **/
 $config['system']['load']['max'] = 10.0;
-?>
+
+?>
\ No newline at end of file
diff --git a/public/include/config/memcache_keys.inc.php b/public/include/config/memcache_keys.inc.php
index f9405b0c..1f4e30e7 100644
--- a/public/include/config/memcache_keys.inc.php
+++ b/public/include/config/memcache_keys.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 define('STATISTICS_ALL_USER_SHARES', 'STATISTICS_ALL_USER_SHARES');
 define('STATISTICS_ALL_USER_HASHRATES', 'STATISTICS_ALL_USER_HASHRATES');
diff --git a/public/include/config/security.inc.dist.php b/public/include/config/security.inc.dist.php
new file mode 100644
index 00000000..20f4c140
--- /dev/null
+++ b/public/include/config/security.inc.dist.php
@@ -0,0 +1,52 @@
+<?php 
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
+
+/**
+ * Misc
+ *  Extra security settings
+ *   
+ **/
+$config['https_only'] = false;
+$config['mysql_filter'] = true;
+
+/**
+ * Memcache Rate Limiting
+ *  Rate limit requests using Memcache
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-memcache-rate-limiting
+ */
+$config['mc_antidos']['enabled'] = true;
+$config['mc_antidos']['protect_ajax'] = true;
+$config['mc_antidos']['ajax_hits_additive'] = false;
+$config['mc_antidos']['flush_seconds_api'] = 60;
+$config['mc_antidos']['rate_limit_api'] = 20;
+$config['mc_antidos']['flush_seconds_site'] = 60;
+$config['mc_antidos']['rate_limit_site'] = 30;
+$config['mc_antidos']['ignore_admins'] = true;
+$config['mc_antidos']['error_push_page'] = array('page' => 'error', 'action' => 'ratelimit');
+
+/**
+ * CSRF Protection
+ *  Enable or disable CSRF protection
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-csrf-protection
+ */
+$config['csrf']['enabled'] = true;
+
+/**
+ * E-mail confirmations for user actions
+ *  Two-factor confirmation for user actions
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-e-mail-confirmations
+ */
+$config['twofactor']['enabled'] = true;
+$config['twofactor']['options']['details'] = true;
+$config['twofactor']['options']['withdraw'] = true;
+$config['twofactor']['options']['changepw'] = true;
+
+/**
+ * Lock account after X
+ *  Lock accounts after X invalid logins or pins
+ *   https://github.com/MPOS/php-mpos/wiki/Config-Setup#wiki-lock-accounts-after-failed-logins
+ **/
+$config['maxfailed']['login'] = 3;
+$config['maxfailed']['pin'] = 3;
+
+?>
\ No newline at end of file
diff --git a/public/include/database.inc.php b/public/include/database.inc.php
index edfa8ca5..a65e708b 100644
--- a/public/include/database.inc.php
+++ b/public/include/database.inc.php
@@ -1,11 +1,12 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Instantiate class, we are using mysqlng
-$mysqli = new mysqli($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);
+if ($config['mysql_filter']) {
+  $mysqli = new mysqli_strict($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);
+} else {
+  $mysqli = new mysqli($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);
+}
 
 // Check if read-only and quit if it is on
 if ($mysqli->query('/* MYSQLND_MS_MASTER_SWITCH */SELECT @@global.read_only AS read_only')->fetch_object()->read_only == 1) {
@@ -16,4 +17,5 @@ if ($mysqli->query('/* MYSQLND_MS_MASTER_SWITCH */SELECT @@global.read_only AS r
 if (mysqli_connect_errno()) {
   die("Failed to connect to database");
 }
+
 ?>
diff --git a/public/include/pages/about.inc.php b/public/include/pages/about.inc.php
index aecab054..ac4117c0 100644
--- a/public/include/pages/about.inc.php
+++ b/public/include/pages/about.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
diff --git a/public/include/pages/about/api.inc.php b/public/include/pages/about/api.inc.php
index d0eb55e7..ac4117c0 100644
--- a/public/include/pages/about/api.inc.php
+++ b/public/include/pages/about/api.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
diff --git a/public/include/pages/about/donors.inc.php b/public/include/pages/about/donors.inc.php
index 0d4213f7..2e20f761 100644
--- a/public/include/pages/about/donors.inc.php
+++ b/public/include/pages/about/donors.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($setting->getValue('disable_donors')) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Donors are currently disabled. Please try again later.', 'TYPE' => 'errormsg');
diff --git a/public/include/pages/about/pool.inc.php b/public/include/pages/about/pool.inc.php
index 20c860f0..0450f7ef 100644
--- a/public/include/pages/about/pool.inc.php
+++ b/public/include/pages/about/pool.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($setting->getValue('disable_about')) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Donors are currently disabled. Please try again later.', 'TYPE' => 'errormsg');
diff --git a/public/include/pages/about/pplns.inc.php b/public/include/pages/about/pplns.inc.php
index aecab054..ac4117c0 100644
--- a/public/include/pages/about/pplns.inc.php
+++ b/public/include/pages/about/pplns.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
diff --git a/public/include/pages/account.inc.php b/public/include/pages/account.inc.php
index 9e43518e..f3ce16c5 100644
--- a/public/include/pages/account.inc.php
+++ b/public/include/pages/account.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($user->isAuthenticated()) {
   // Tempalte specifics
diff --git a/public/include/pages/account/confirm.inc.php b/public/include/pages/account/confirm.inc.php
index 829abcb7..6d175281 100644
--- a/public/include/pages/account/confirm.inc.php
+++ b/public/include/pages/account/confirm.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Confirm an account by token
 if (!isset($_GET['token']) || empty($_GET['token'])) {
diff --git a/public/include/pages/account/edit.inc.php b/public/include/pages/account/edit.inc.php
index ed058175..6c728c0a 100644
--- a/public/include/pages/account/edit.inc.php
+++ b/public/include/pages/account/edit.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // twofactor stuff
 $cp_editable = $wf_editable = $ea_editable = $wf_sent = $ea_sent = $cp_sent = 0;
@@ -153,7 +150,7 @@ if ($user->isAuthenticated()) {
 
 
 // 2fa - one last time so we can sync with changes we made during this page
-if ($user->isAuthenticated() && $config['twofactor']['enabled']) {
+if ($config['twofactor']['enabled'] && $user->isAuthenticated()) {
   // set the token to be the old token, just in case an error occured
   $ea_token = (@$oldtoken_ea !== '') ? $oldtoken_ea : @$ea_token;
   $wf_token = (@$oldtoken_wf !== '') ? $oldtoken_wf : @$wf_token;
@@ -178,14 +175,15 @@ if ($user->isAuthenticated() && $config['twofactor']['enabled']) {
   (!empty($wfprep_sent) && empty($wfprep_edit)) ? $_SESSION['POPUP'][] = array('CONTENT' => $message_tokensent_invalid.$messages_tokensent_status['wf'], 'TYPE' => 'success'):"";
   (!empty($cpprep_sent) && !empty($cpprep_edit)) ? $_SESSION['POPUP'][] = array('CONTENT' => $cpprep_sent, 'TYPE' => 'success'):"";
   (!empty($cpprep_sent) && empty($cpprep_edit)) ? $_SESSION['POPUP'][] = array('CONTENT' => $message_tokensent_invalid.$messages_tokensent_status['cp'], 'TYPE' => 'success'):"";
+  // two-factor stuff
+  $smarty->assign("CHANGEPASSUNLOCKED", $cp_editable);
+  $smarty->assign("WITHDRAWUNLOCKED", $wf_editable);
+  $smarty->assign("DETAILSUNLOCKED", $ea_editable);
+  $smarty->assign("CHANGEPASSSENT", $cp_sent);
+  $smarty->assign("WITHDRAWSENT", $wf_sent);
+  $smarty->assign("DETAILSSENT", $ea_sent);
 }
-// two-factor stuff
-$smarty->assign("CHANGEPASSUNLOCKED", $cp_editable);
-$smarty->assign("WITHDRAWUNLOCKED", $wf_editable);
-$smarty->assign("DETAILSUNLOCKED", $ea_editable);
-$smarty->assign("CHANGEPASSSENT", $cp_sent);
-$smarty->assign("WITHDRAWSENT", $wf_sent);
-$smarty->assign("DETAILSSENT", $ea_sent);
+
 $smarty->assign("DONATE_THRESHOLD", $config['donate_threshold']);
 
 // Tempalte specifics
diff --git a/public/include/pages/account/invitations.inc.php b/public/include/pages/account/invitations.inc.php
index 0ceb15a8..4020cfd1 100644
--- a/public/include/pages/account/invitations.inc.php
+++ b/public/include/pages/account/invitations.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($user->isAuthenticated()) {
   if (!$setting->getValue('disable_invitations')) {
diff --git a/public/include/pages/account/notifications.inc.php b/public/include/pages/account/notifications.inc.php
index 0d0fe7e4..4b180f02 100644
--- a/public/include/pages/account/notifications.inc.php
+++ b/public/include/pages/account/notifications.inc.php
@@ -1,7 +1,6 @@
 <?php
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
 if ($user->isAuthenticated()) {
   if ($setting->getValue('disable_notifications') == 1) {
     $_SESSION['POPUP'][] = array('CONTENT' => 'Notification system disabled by admin.', 'TYPE' => 'info');
diff --git a/public/include/pages/account/qrcode.inc.php b/public/include/pages/account/qrcode.inc.php
index a6543dc5..3171ded7 100644
--- a/public/include/pages/account/qrcode.inc.php
+++ b/public/include/pages/account/qrcode.inc.php
@@ -1,6 +1,5 @@
 <?php
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($user->isAuthenticated()) $smarty->assign("CONTENT", "default.tpl");
 ?>
diff --git a/public/include/pages/account/reset_failed.inc.php b/public/include/pages/account/reset_failed.inc.php
index 9f19b030..0df25c06 100644
--- a/public/include/pages/account/reset_failed.inc.php
+++ b/public/include/pages/account/reset_failed.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($user->isAuthenticated()) {
   // Reset failed login counter
diff --git a/public/include/pages/account/transactions.inc.php b/public/include/pages/account/transactions.inc.php
index 72534881..4509b399 100644
--- a/public/include/pages/account/transactions.inc.php
+++ b/public/include/pages/account/transactions.inc.php
@@ -1,7 +1,6 @@
 <?php
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
 if ($user->isAuthenticated()) {
   $iLimit = 30;
   empty($_REQUEST['start']) ? $start = 0 : $start = $_REQUEST['start'];
diff --git a/public/include/pages/account/unlock.inc.php b/public/include/pages/account/unlock.inc.php
index b9d5763b..71c400d1 100644
--- a/public/include/pages/account/unlock.inc.php
+++ b/public/include/pages/account/unlock.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Confirm an account by token
 if (!isset($_GET['token']) || empty($_GET['token'])) {
diff --git a/public/include/pages/account/workers.inc.php b/public/include/pages/account/workers.inc.php
index ad266b2b..b861600d 100644
--- a/public/include/pages/account/workers.inc.php
+++ b/public/include/pages/account/workers.inc.php
@@ -1,18 +1,13 @@
 <?php
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($user->isAuthenticated()) {
   switch (@$_REQUEST['do']) {
   case 'delete':
-    if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
-      if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
-        $_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed', 'TYPE' => 'success');
-      } else {
-        $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
-      }
+    if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
+      $_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed', 'TYPE' => 'success');
     } else {
-      $_SESSION['POPUP'][] = array('CONTENT' => $csrftoken->getErrorWithDescriptionHTML(), 'TYPE' => 'info');
+      $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
     }
     break;
     
diff --git a/public/include/pages/admin.inc.php b/public/include/pages/admin.inc.php
index 40abecde..b5067a9f 100644
--- a/public/include/pages/admin.inc.php
+++ b/public/include/pages/admin.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/dashboard.inc.php b/public/include/pages/admin/dashboard.inc.php
index d5de5f7b..572914f9 100644
--- a/public/include/pages/admin/dashboard.inc.php
+++ b/public/include/pages/admin/dashboard.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/monitoring.inc.php b/public/include/pages/admin/monitoring.inc.php
index 08efaee4..e720f776 100644
--- a/public/include/pages/admin/monitoring.inc.php
+++ b/public/include/pages/admin/monitoring.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/news.inc.php b/public/include/pages/admin/news.inc.php
index df0bb2fc..36734294 100644
--- a/public/include/pages/admin/news.inc.php
+++ b/public/include/pages/admin/news.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/news_edit.inc.php b/public/include/pages/admin/news_edit.inc.php
index 81cfcb56..8549533b 100644
--- a/public/include/pages/admin/news_edit.inc.php
+++ b/public/include/pages/admin/news_edit.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/poolworkers.inc.php b/public/include/pages/admin/poolworkers.inc.php
index 814d6c07..24cb675c 100644
--- a/public/include/pages/admin/poolworkers.inc.php
+++ b/public/include/pages/admin/poolworkers.inc.php
@@ -1,6 +1,5 @@
 <?php
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/reports.inc.php b/public/include/pages/admin/reports.inc.php
index 5225461c..3139234c 100644
--- a/public/include/pages/admin/reports.inc.php
+++ b/public/include/pages/admin/reports.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/settings.inc.php b/public/include/pages/admin/settings.inc.php
index fe9bc380..6fb477ea 100644
--- a/public/include/pages/admin/settings.inc.php
+++ b/public/include/pages/admin/settings.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/templates.inc.php b/public/include/pages/admin/templates.inc.php
index b3c101ea..8f67611d 100644
--- a/public/include/pages/admin/templates.inc.php
+++ b/public/include/pages/admin/templates.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/transactions.inc.php b/public/include/pages/admin/transactions.inc.php
index 7e95092e..37afac7b 100644
--- a/public/include/pages/admin/transactions.inc.php
+++ b/public/include/pages/admin/transactions.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/user.inc.php b/public/include/pages/admin/user.inc.php
index 955d9cd8..5971dc9a 100644
--- a/public/include/pages/admin/user.inc.php
+++ b/public/include/pages/admin/user.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/admin/wallet.inc.php b/public/include/pages/admin/wallet.inc.php
index c7e821c8..909d05ef 100644
--- a/public/include/pages/admin/wallet.inc.php
+++ b/public/include/pages/admin/wallet.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user to ensure they are admin
 if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
diff --git a/public/include/pages/api.inc.php b/public/include/pages/api.inc.php
index c85ada42..01cd20f5 100644
--- a/public/include/pages/api.inc.php
+++ b/public/include/pages/api.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getblockcount.inc.php b/public/include/pages/api/getblockcount.inc.php
index 978a7142..5000afdd 100644
--- a/public/include/pages/api/getblockcount.inc.php
+++ b/public/include/pages/api/getblockcount.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getblocksfound.inc.php b/public/include/pages/api/getblocksfound.inc.php
index de2918f6..d280b266 100644
--- a/public/include/pages/api/getblocksfound.inc.php
+++ b/public/include/pages/api/getblocksfound.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getblockstats.inc.php b/public/include/pages/api/getblockstats.inc.php
index 9d6200d5..725ad628 100644
--- a/public/include/pages/api/getblockstats.inc.php
+++ b/public/include/pages/api/getblockstats.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getcronjobstatus.inc.php b/public/include/pages/api/getcronjobstatus.inc.php
index 8dab4f09..b932b8dd 100644
--- a/public/include/pages/api/getcronjobstatus.inc.php
+++ b/public/include/pages/api/getcronjobstatus.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getcurrentworkers.inc.php b/public/include/pages/api/getcurrentworkers.inc.php
index 837b75ef..4b142822 100644
--- a/public/include/pages/api/getcurrentworkers.inc.php
+++ b/public/include/pages/api/getcurrentworkers.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getdashboarddata.inc.php b/public/include/pages/api/getdashboarddata.inc.php
index b5a73801..9f7c6844 100644
--- a/public/include/pages/api/getdashboarddata.inc.php
+++ b/public/include/pages/api/getdashboarddata.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the system is enabled
 if ($setting->getValue('disable_dashboard_api')) {
diff --git a/public/include/pages/api/getdifficulty.inc.php b/public/include/pages/api/getdifficulty.inc.php
index 95805548..7cc88766 100644
--- a/public/include/pages/api/getdifficulty.inc.php
+++ b/public/include/pages/api/getdifficulty.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getestimatedtime.inc.php b/public/include/pages/api/getestimatedtime.inc.php
index 91ed811d..5d529545 100644
--- a/public/include/pages/api/getestimatedtime.inc.php
+++ b/public/include/pages/api/getestimatedtime.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/gethourlyhashrates.inc.php b/public/include/pages/api/gethourlyhashrates.inc.php
index d9dfea0a..c6c7f670 100644
--- a/public/include/pages/api/gethourlyhashrates.inc.php
+++ b/public/include/pages/api/gethourlyhashrates.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getnavbardata.inc.php b/public/include/pages/api/getnavbardata.inc.php
index a412f984..f043a7c1 100644
--- a/public/include/pages/api/getnavbardata.inc.php
+++ b/public/include/pages/api/getnavbardata.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the system is enabled
 if ($setting->getValue('disable_navbar_api')) {
diff --git a/public/include/pages/api/getpoolhashrate.inc.php b/public/include/pages/api/getpoolhashrate.inc.php
index a5985d44..bb6fe8ea 100644
--- a/public/include/pages/api/getpoolhashrate.inc.php
+++ b/public/include/pages/api/getpoolhashrate.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getpoolinfo.inc.php b/public/include/pages/api/getpoolinfo.inc.php
index 66d87004..217a2224 100644
--- a/public/include/pages/api/getpoolinfo.inc.php
+++ b/public/include/pages/api/getpoolinfo.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getpoolsharerate.inc.php b/public/include/pages/api/getpoolsharerate.inc.php
index a55654be..8b8977e5 100644
--- a/public/include/pages/api/getpoolsharerate.inc.php
+++ b/public/include/pages/api/getpoolsharerate.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getpoolstatus.inc.php b/public/include/pages/api/getpoolstatus.inc.php
index ea053dcb..a364a45b 100644
--- a/public/include/pages/api/getpoolstatus.inc.php
+++ b/public/include/pages/api/getpoolstatus.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/gettimesincelastblock.inc.php b/public/include/pages/api/gettimesincelastblock.inc.php
index c0de01f8..e586beac 100644
--- a/public/include/pages/api/gettimesincelastblock.inc.php
+++ b/public/include/pages/api/gettimesincelastblock.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/gettopcontributors.inc.php b/public/include/pages/api/gettopcontributors.inc.php
index 0b22faee..e5bc7e6f 100644
--- a/public/include/pages/api/gettopcontributors.inc.php
+++ b/public/include/pages/api/gettopcontributors.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check user token and access level permissions
 $user_id = $api->checkAccess($user->checkApiKey($_REQUEST['api_key']), @$_REQUEST['id']);
diff --git a/public/include/pages/api/getuserbalance.inc.php b/public/include/pages/api/getuserbalance.inc.php
index d91c6865..e46901bb 100644
--- a/public/include/pages/api/getuserbalance.inc.php
+++ b/public/include/pages/api/getuserbalance.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getuserhashrate.inc.php b/public/include/pages/api/getuserhashrate.inc.php
index 1b1d5250..13f61a8c 100644
--- a/public/include/pages/api/getuserhashrate.inc.php
+++ b/public/include/pages/api/getuserhashrate.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getusersharerate.inc.php b/public/include/pages/api/getusersharerate.inc.php
index c1edb01e..86b3c762 100644
--- a/public/include/pages/api/getusersharerate.inc.php
+++ b/public/include/pages/api/getusersharerate.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getuserstatus.inc.php b/public/include/pages/api/getuserstatus.inc.php
index c17bb77f..df514c9a 100644
--- a/public/include/pages/api/getuserstatus.inc.php
+++ b/public/include/pages/api/getuserstatus.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getusertransactions.inc.php b/public/include/pages/api/getusertransactions.inc.php
index 08517d2d..403ff929 100644
--- a/public/include/pages/api/getusertransactions.inc.php
+++ b/public/include/pages/api/getusertransactions.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/getuserworkers.inc.php b/public/include/pages/api/getuserworkers.inc.php
index 089e227d..69a8122a 100644
--- a/public/include/pages/api/getuserworkers.inc.php
+++ b/public/include/pages/api/getuserworkers.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/api/public.inc.php b/public/include/pages/api/public.inc.php
index f465d1a8..c6b128d6 100644
--- a/public/include/pages/api/public.inc.php
+++ b/public/include/pages/api/public.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Check if the API is activated
 $api->isActive();
diff --git a/public/include/pages/contactform.inc.php b/public/include/pages/contactform.inc.php
index b961cfb2..fdbf26da 100644
--- a/public/include/pages/contactform.inc.php
+++ b/public/include/pages/contactform.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($setting->getValue('disable_contactform')) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Contactform is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
diff --git a/public/include/pages/contactform/contactform.inc.php b/public/include/pages/contactform/contactform.inc.php
index 19916321..f0aa6f9f 100644
--- a/public/include/pages/contactform/contactform.inc.php
+++ b/public/include/pages/contactform/contactform.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($setting->getValue('recaptcha_enabled')) {
   // Load re-captcha specific data
diff --git a/public/include/pages/dashboard.inc.php b/public/include/pages/dashboard.inc.php
index f835f6e7..7047cfb8 100644
--- a/public/include/pages/dashboard.inc.php
+++ b/public/include/pages/dashboard.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($user->isAuthenticated()) {
   if (! $interval = $setting->getValue('statistics_ajax_data_interval')) $interval = 300;
diff --git a/public/include/pages/error.inc.php b/public/include/pages/error.inc.php
index aecab054..ac4117c0 100644
--- a/public/include/pages/error.inc.php
+++ b/public/include/pages/error.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
diff --git a/public/include/pages/error/404.inc.php b/public/include/pages/error/404.inc.php
index aecab054..ac4117c0 100644
--- a/public/include/pages/error/404.inc.php
+++ b/public/include/pages/error/404.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
diff --git a/public/include/pages/error/ratelimit.inc.php b/public/include/pages/error/ratelimit.inc.php
new file mode 100644
index 00000000..89cd2920
--- /dev/null
+++ b/public/include/pages/error/ratelimit.inc.php
@@ -0,0 +1,6 @@
+<?php
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
+
+// Tempalte specifics
+$smarty->assign("CONTENT", "default.tpl");
+?>
\ No newline at end of file
diff --git a/public/include/pages/gettingstarted.inc.php b/public/include/pages/gettingstarted.inc.php
index e7de19b8..b6f63bc7 100644
--- a/public/include/pages/gettingstarted.inc.php
+++ b/public/include/pages/gettingstarted.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 $smarty->assign("SITESTRATUMURL", $config['gettingstarted']['stratumurl']);
 $smarty->assign("SITESTRATUMPORT", $config['gettingstarted']['stratumport']);
diff --git a/public/include/pages/home.inc.php b/public/include/pages/home.inc.php
index 99c01c04..72a29af7 100644
--- a/public/include/pages/home.inc.php
+++ b/public/include/pages/home.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Include markdown library
 use \Michelf\Markdown;
diff --git a/public/include/pages/login.inc.php b/public/include/pages/login.inc.php
index 80267049..a8f7cd0e 100644
--- a/public/include/pages/login.inc.php
+++ b/public/include/pages/login.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // ReCaptcha handling if enabled
 if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins')) {
@@ -26,10 +24,12 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserIdByEmail
   // Check if recaptcha is enabled, process form data if valid
   if (!$setting->getValue('recaptcha_enabled') || !$setting->getValue('recaptcha_enabled_logins') || ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins') && $rsp->is_valid)) {
     if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
+      // check if login is correct
       if ($user->checkLogin(@$_POST['username'], @$_POST['password']) ) {
-        $port = ($_SERVER["SERVER_PORT"] == "80" or $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
-        $location = @$_SERVER['HTTPS'] ? 'https://' : 'http://';
-        $location .= $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'] . '?page=dashboard';
+        $port = ($_SERVER["SERVER_PORT"] == "80" || $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
+        $location = (@$_SERVER['HTTPS'] == "on") ? 'https://' : 'http://';
+        $location .= $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'];
+        $location.= '?page=dashboard';
         if (!headers_sent()) header('Location: ' . $location);
         exit('<meta http-equiv="refresh" content="0; url=' . htmlspecialchars($location) . '"/>');
       } else {
@@ -42,7 +42,7 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserIdByEmail
     $_SESSION['POPUP'][] = array('CONTENT' => 'Invalid Captcha, please try again.', 'TYPE' => 'errormsg');
   }
 }
-
 // Load login template
 $smarty->assign('CONTENT', 'default.tpl');
+
 ?>
diff --git a/public/include/pages/logout.inc.php b/public/include/pages/logout.inc.php
index 30425851..9b6e12a6 100644
--- a/public/include/pages/logout.inc.php
+++ b/public/include/pages/logout.inc.php
@@ -1,10 +1,7 @@
 <?php
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
-
-// This probably (?) never fails
 $user->logoutUser();
+
 $smarty->assign("CONTENT", "default.tpl");
 ?>
diff --git a/public/include/pages/news.inc.php b/public/include/pages/news.inc.php
index 6e7a90c7..51630e9b 100644
--- a/public/include/pages/news.inc.php
+++ b/public/include/pages/news.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Include markdown library
 use \Michelf\Markdown;
diff --git a/public/include/pages/password.inc.php b/public/include/pages/password.inc.php
index d9fe34ce..8ce59fe1 100644
--- a/public/include/pages/password.inc.php
+++ b/public/include/pages/password.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
diff --git a/public/include/pages/password/change.inc.php b/public/include/pages/password/change.inc.php
index f622363b..938ed51b 100644
--- a/public/include/pages/password/change.inc.php
+++ b/public/include/pages/password/change.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-  die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
   if (isset($_POST['do']) && $_POST['do'] == 'resetPassword') {
diff --git a/public/include/pages/password/reset.inc.php b/public/include/pages/password/reset.inc.php
index 0fa2303d..c06c21b6 100644
--- a/public/include/pages/password/reset.inc.php
+++ b/public/include/pages/password/reset.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Process password reset request
 if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
diff --git a/public/include/pages/register.inc.php b/public/include/pages/register.inc.php
index 15d077fe..da9ec064 100644
--- a/public/include/pages/register.inc.php
+++ b/public/include/pages/register.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if ($setting->getValue('lock_registration') && $setting->getValue('disable_invitations')) {
   $_SESSION['POPUP'][] = array('CONTENT' => 'Account registration is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
diff --git a/public/include/pages/register/register.inc.php b/public/include/pages/register/register.inc.php
index 9f2ad8b6..31afe78d 100644
--- a/public/include/pages/register/register.inc.php
+++ b/public/include/pages/register/register.inc.php
@@ -1,6 +1,5 @@
 <?php
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // ReCaptcha handling if enabled
 if ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_registrations')) {
diff --git a/public/include/pages/statistics.inc.php b/public/include/pages/statistics.inc.php
index 3f63e870..ca100ea4 100644
--- a/public/include/pages/statistics.inc.php
+++ b/public/include/pages/statistics.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
   $debug->append('No cached version available, fetching from backend', 3);
diff --git a/public/include/pages/statistics/blockfinder.inc.php b/public/include/pages/statistics/blockfinder.inc.php
index f471afdf..6773e920 100644
--- a/public/include/pages/statistics/blockfinder.inc.php
+++ b/public/include/pages/statistics/blockfinder.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Grab Block Finder
 if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
diff --git a/public/include/pages/statistics/blocks.inc.php b/public/include/pages/statistics/blocks.inc.php
index 12f034c0..fb580b8f 100644
--- a/public/include/pages/statistics/blocks.inc.php
+++ b/public/include/pages/statistics/blocks.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Grab the last blocks found
 if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
diff --git a/public/include/pages/statistics/graphs.inc.php b/public/include/pages/statistics/graphs.inc.php
index 575ce36d..f574c1fc 100644
--- a/public/include/pages/statistics/graphs.inc.php
+++ b/public/include/pages/statistics/graphs.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
   $debug->append('No cached version available, fetching from backend', 3);
diff --git a/public/include/pages/statistics/pool.inc.php b/public/include/pages/statistics/pool.inc.php
index ae42aebc..84fb3546 100644
--- a/public/include/pages/statistics/pool.inc.php
+++ b/public/include/pages/statistics/pool.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Fetch data from wallet, always run this check
 if ($bitcoin->can_connect() === true){
diff --git a/public/include/pages/statistics/round.inc.php b/public/include/pages/statistics/round.inc.php
index 4e7288d5..064dd3ee 100644
--- a/public/include/pages/statistics/round.inc.php
+++ b/public/include/pages/statistics/round.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
   $debug->append('No cached version available, fetching from backend', 3);
diff --git a/public/include/pages/statistics/uptime.inc.php b/public/include/pages/statistics/uptime.inc.php
index 81a12799..253ab76c 100644
--- a/public/include/pages/statistics/uptime.inc.php
+++ b/public/include/pages/statistics/uptime.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 if (!$smarty->isCached('master.tpl', $smarty_cache_key)) {
   $debug->append('No cached version available, fetching from backend', 3);
diff --git a/public/include/pages/tac.inc.php b/public/include/pages/tac.inc.php
index de4542b1..cdd3e92d 100644
--- a/public/include/pages/tac.inc.php
+++ b/public/include/pages/tac.inc.php
@@ -1,6 +1,5 @@
 <?php
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
 $smarty->assign("CONTENT", "default.tpl");
 ?>
diff --git a/public/include/pages/tacpop.inc.php b/public/include/pages/tacpop.inc.php
index 86087ec0..16ae6777 100644
--- a/public/include/pages/tacpop.inc.php
+++ b/public/include/pages/tacpop.inc.php
@@ -1,6 +1,5 @@
 <?php
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
 $master_template = 'tac/default.tpl';
 ?>
diff --git a/public/include/smarty.inc.php b/public/include/smarty.inc.php
index ba549af6..b3aa8e7b 100644
--- a/public/include/smarty.inc.php
+++ b/public/include/smarty.inc.php
@@ -1,8 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY'))
-    die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 $debug->append('Loading Smarty libraries', 2);
 define('SMARTY_DIR', INCLUDE_DIR . '/smarty/libs/');
diff --git a/public/include/smarty_globals.inc.php b/public/include/smarty_globals.inc.php
index 87dc64e2..b18e5bb4 100644
--- a/public/include/smarty_globals.inc.php
+++ b/public/include/smarty_globals.inc.php
@@ -1,7 +1,5 @@
 <?php
-
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
 // Globally available variables
 $debug->append('Global smarty variables', 3);
@@ -172,7 +170,7 @@ if ($motd = $setting->getValue('system_motd'))
   $_SESSION['POPUP'][] = array('CONTENT' => $motd, 'TYPE' => 'info');
 
 // So we can display additional info
-$smarty->assign('DEBUG', DEBUG);
+$smarty->assign('DEBUG', $config['DEBUG']);
 
 // Make it available in Smarty
 $smarty->assign('PATH', 'site_assets/' . THEME);
diff --git a/public/include/version.inc.php b/public/include/version.inc.php
index f1fbcf4b..c6204c76 100644
--- a/public/include/version.inc.php
+++ b/public/include/version.inc.php
@@ -1,22 +1,17 @@
 <?php
+$defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
 
-// Make sure we are called from index.php
-if (!defined('SECURITY')) die('Hacking attempt');
-
-define('MPOS_VERSION', '0.0.2');
+define('MPOS_VERSION', '0.0.3');
 define('DB_VERSION', '0.0.4');
-define('CONFIG_VERSION', '0.0.6');
+define('CONFIG_VERSION', '0.0.7');
 
 // Fetch installed database version
 $db_version = $setting->getValue('DB_VERSION');
 if ($db_version != DB_VERSION) {
   // Notify admins via error popup
-  if (isset($_SESSION['USERDATA']) && $user->isAdmin($_SESSION['USERDATA']['id']))
-    $_SESSION['POPUP'][] = array('CONTENT' => 'Database version mismatch (Installed: ' . $db_version . ', Current: ' . DB_VERSION . '). Database update required, please import any new SQL files. Cronjobs have been halted.', 'TYPE' => 'errormsg');
+  $_SESSION['POPUP'][] = array('CONTENT' => 'Database version mismatch (Installed: ' . $db_version . ', Current: ' . DB_VERSION . '). Database update required, please import any new SQL files. Cronjobs have been halted.', 'TYPE' => 'errormsg');
 }
-
-if (@$config['version'] != CONFIG_VERSION) {
+if (@$config['version'] !== CONFIG_VERSION) {
   // Notify admins via error popup
-  if (isset($_SESSION['USERDATA']) && $user->isAdmin($_SESSION['USERDATA']['id']))
-    $_SESSION['POPUP'][] = array('CONTENT' => 'Configuration file version mismatch (Installed: ' . @$config['version'] . ', Current: ' . CONFIG_VERSION . '). Configuration update required, please check dist config for changes. Cronjobs have been halted.', 'TYPE' => 'errormsg');
+  $_SESSION['POPUP'][] = array('CONTENT' => 'Configuration file version mismatch (Installed: ' . @$config['version'] . ', Current: ' . CONFIG_VERSION . '). Configuration update required, please check dist config for changes. Cronjobs have been halted.', 'TYPE' => 'errormsg');
 }
diff --git a/public/index.php b/public/index.php
index 0c1fbd09..811b9b05 100644
--- a/public/index.php
+++ b/public/index.php
@@ -1,5 +1,4 @@
 <?php
-
 /*
 
 Copyright:: 2013, Sebastian Grewe
@@ -16,27 +15,49 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 
- */
+*/
+// Set a decently long SECURITY key with special chars etc
+define('SECURITY', '*)WT#&YHfd');
+// Whether or not to check SECHASH for validity, still checks if SECURITY defined as before if disabled
+define('SECHASH_CHECK', false);
 
-// Used for performance calculations
-$dStartTime = microtime(true);
+// Nothing below here to configure, move along...
+
+// change SECHASH every second, we allow up to 3 sec back for slow servers
+if (SECHASH_CHECK) {
+  function fip($tr=0) { return md5(SECURITY.(time()-$tr).SECURITY); }
+  define('SECHASH', fip());
+  function cfip() { return (fip()==SECHASH||fip(1)==SECHASH||fip(2)==SECHASH) ? 1 : 0; }
+} else {
+  function cfip() { return (@defined('SECURITY')) ? 1 : 0; }
+}
 
 // This should be okay
 // No but Its now, - Aim
 define("BASEPATH", dirname(__FILE__) . "/");
 
-// Our security check
-define("SECURITY", 1);
+// all our includes and config etc are now in bootstrap
+include_once('include/bootstrap.php');
 
-// Include our configuration (holding defines for the requires)
-if (!include_once(BASEPATH . 'include/config/global.inc.php')) die('Unable to load site configuration');
+// switch to https if config option is enabled
+$hts = ($config['https_only'] && (!empty($_SERVER['QUERY_STRING']))) ? "https://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."?".$_SERVER['QUERY_STRING'] : "https://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME'];
+($config['https_only'] && @!$_SERVER['HTTPS']) ? exit(header("Location: ".$hts)):0;
 
-// Our default template to load, pages can overwrite this later
-$master_template = 'master.tpl';
+if ($config['memcache']['enabled'] && $config['mc_antidos']['enabled']) {
+  if (PHP_OS == 'WINNT') {
+    require_once(CLASS_DIR . 'memcached.class.php');
+  }
+  // memcache antidos needs a memcache handle
+  $memcache = new Memcached();
+  $memcache->addServer($config['memcache']['host'], $config['memcache']['port']);
+}
+
+if ($config['memcache']['enabled'] && $config['mc_antidos']['enabled']) {
+  require_once(CLASS_DIR . '/memcache_ad.class.php');
+}
 
-// Start a session
-session_set_cookie_params(time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
 $session_start = @session_start();
+session_set_cookie_params(time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
 if (!$session_start) {
   session_destroy();
   session_regenerate_id(true);
@@ -44,9 +65,69 @@ if (!$session_start) {
 }
 @setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
 
-// Load Classes, they name defines the $ variable used
-// We include all needed files here, even though our templates could load them themself
-require_once(INCLUDE_DIR . '/autoloader.inc.php');
+// Rate limiting
+if ($config['memcache']['enabled'] && $config['mc_antidos']['enabled']) {
+  $skip_check = false;
+  // if this is an api call we need to be careful not to time them out for those calls separately
+  $per_page = '';
+  $ajax_calls = array(
+    array('api', 'getuserbalance'),
+    array('api', 'getnavbardata'),
+    array('api', 'getdashboarddata'),
+    array('api', 'getuserworkers')
+  );
+  $iac = 0;
+  foreach ($ajax_calls as $ac) {
+    $iac = (@$_REQUEST['page'] == $ac[0] && @$_REQUEST['action'] == $ac[1]) ? $iac+=1 : $iac;
+  }
+  $is_ajax_call = ($iac > 0) ? true : false;
+  if ($is_ajax_call && $config['mc_antidos']['protect_ajax']) {
+    $per_page = 'api';
+  } else if ($is_ajax_call && !$config['mc_antidos']['protect_ajax']) {
+    // protect isn't on, we'll ignore it
+    $skip_check = true;
+  } else if ($config['mc_antidos']['ignore_admins'] && isset($_SESSION['USERDATA']['is_admin']) && $_SESSION['USERDATA']['is_admin']) {
+    $skip_check = true;
+  }
+  if (!$skip_check) {
+    $mcad = new MemcacheAntiDos($config, $memcache, $per_page);
+    if ($config['mc_antidos']['protect_ajax'] && $is_ajax_call && $mcad->rate_limit_api_request) {
+      exit(header('HTTP/1.1 401 Unauthorized'));
+    }
+    $error_page = $config['mc_antidos']['error_push_page'];
+    if ($mcad->rate_limit_site_request) {
+      if (!is_array($error_page) || count($error_page) < 1 || (empty($error_page['page']) && empty($error_page['action']))) {
+        die("You are sending too many requests too fast!");
+      } else {
+        $_REQUEST['page'] = $error_page['page'];
+        $_REQUEST['action'] = (isset($error_page['action']) && !empty($error_page['action'])) ? $error_page['action'] : $_REQUEST['action'];
+      }
+    }
+  }
+}
+
+// Got past rate limiter and session manager
+// show last logged in popup if it's still set
+if (@$_GET['clp'] == 1 && @$_SESSION['last_ip_pop']) unset($_SESSION['last_ip_pop']);
+if (count(@$_SESSION['last_ip_pop']) == 2) {
+  $data = $_SESSION['last_ip_pop'];
+  $ip = filter_var($data[0], FILTER_VALIDATE_IP);
+  $time = date("l, F jS \a\\t g:i a", $data[1]);
+  $closelink = "<a href='index.php?page=dashboard&clp=1' style='float:right;padding-right:14px;'>Close</a>";
+  if (@$_SESSION['AUTHENTICATED'] && $_SESSION['last_ip_pop'][0] !== $_SERVER['REMOTE_ADDR']) {
+    $_SESSION['POPUP'][] = array('CONTENT' => "You last logged in from <b>$ip</b> on $time $closelink", 'TYPE' => 'warning');
+  } else {
+    $_SESSION['POPUP'][] = array('CONTENT' => "You last logged in from <b>$ip</b> on $time $closelink", 'TYPE' => 'info');
+  }
+}
+
+// version check and config check if not disabled
+if (@$_SESSION['USERDATA']['is_admin'] && $user->isAdmin(@$_SESSION['USERDATA']['id'])) {
+  require_once(INCLUDE_DIR . '/version.inc.php');
+  if (!@$config['skip_config_tests']) {
+    require_once(INCLUDE_DIR . '/admin_checks.php');
+  }
+}
 
 // Create our pages array from existing files
 if (is_dir(INCLUDE_DIR . '/pages/')) {
@@ -83,7 +164,7 @@ $action = (isset($_REQUEST['action']) && !is_array($_REQUEST['action'])) && isse
 // Check csrf token validity if necessary
 if ($config['csrf']['enabled'] && isset($_POST['ctoken']) && !empty($_POST['ctoken']) && !is_array($_POST['ctoken'])) {
   $csrftoken->valid = ($csrftoken->checkBasic($user->getCurrentIP(), $arrPages[$page], $_POST['ctoken'])) ? 1 : 0;
-} else if ($config['csrf']['enabled'] && (!@$_POST['ctoken'] || empty($_POST['ctoken']) || is_array($_POST['ctoken']))) {
+} else if ($config['csrf']['enabled'] && (!@$_POST['ctoken'] || empty($_POST['ctoken']))) {
   $csrftoken->valid = 0;
 }
 if ($config['csrf']['enabled']) $smarty->assign('CTOKEN', $csrftoken->getBasic($user->getCurrentIP(), $arrPages[$page]));
diff --git a/public/templates/mobile/login/default.tpl b/public/templates/mobile/login/default.tpl
index 42df1902..d179f023 100644
--- a/public/templates/mobile/login/default.tpl
+++ b/public/templates/mobile/login/default.tpl
@@ -1,5 +1,4 @@
       <form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm" data-ajax="false">
-        <input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
         <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
         <p><label for="userForm">Email</label><input type="text" name="username" value="" id="userForm"></p>
         <p><label for="passForm">Password</label><input type="password" name="password" value="" id="passForm"></p>
diff --git a/public/templates/mpos/error/ratelimit/default.tpl b/public/templates/mpos/error/ratelimit/default.tpl
new file mode 100644
index 00000000..7ab5c72b
--- /dev/null
+++ b/public/templates/mpos/error/ratelimit/default.tpl
@@ -0,0 +1,6 @@
+<article class="module width_full">
+<header><h3>Request rate limit exceeded</h3></header>
+<div class="module_content">
+<p>You're sending too many requests too fast!</p>
+</div>
+</article>
\ No newline at end of file
diff --git a/public/templates/mpos/login/default.tpl b/public/templates/mpos/login/default.tpl
index b9c8ef56..b407e2a1 100644
--- a/public/templates/mpos/login/default.tpl
+++ b/public/templates/mpos/login/default.tpl
@@ -1,6 +1,5 @@
 <article class="module width_half">
   <form action="{$smarty.server.SCRIPT_NAME}?page=login" method="post" id="loginForm">
-    <input type="hidden" name="to" value="{($smarty.request.to|default:"{$smarty.server.SCRIPT_NAME}?page=dashboard")|escape}" />
     <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
     <header><h3>Login with existing account</h3></header>
     <div class="module_content">
diff --git a/public/templates/mpos/login/small.tpl b/public/templates/mpos/login/small.tpl
index 7ed9b55c..32b61fe5 100644
--- a/public/templates/mpos/login/small.tpl
+++ b/public/templates/mpos/login/small.tpl
@@ -3,7 +3,6 @@
   <form action="{$smarty.server.SCRIPT_NAME}" method="post" id="loginForm">
     <input type="hidden" name="page" value="login" />
     <input type="hidden" name="ctoken" value="{$CTOKEN|escape|default:""}" />
-    <input type="hidden" name="to" value="{$smarty.server.SCRIPT_NAME}?page=dashboard" />
     <fieldset2 class="small">
       <label>Username</label>
       <input type="text" name="username" size="22" maxlength="100" required />
diff --git a/tests/bootstrap.php b/tests/bootstrap.php
new file mode 100644
index 00000000..b11e7c48
--- /dev/null
+++ b/tests/bootstrap.php
@@ -0,0 +1,38 @@
+<?php 
+
+error_reporting(E_ALL);
+
+define('SECURITY', 'so we can check config options');
+
+// pull in our tests config
+require_once('config.php');
+
+define('REALCONFIG', BASEPATH.'include/config/global.inc.php');
+define('DISTCONFIG', BASEPATH.'include/config/global.inc.dist.php');
+
+if (!DIST_OR_REAL_CONFIG) {
+  require_once(DISTCONFIG);
+} else {
+  require_once(REALCONFIG);
+}
+
+require_once(BASEPATH . 'include/autoloader.inc.php');
+
+require_once("PHPUnit/Autoload.php");
+
+/*
+ * apache2* libapache2-mod-php5* mysql-server* php-codecoverage*
+  php-codesniffer* php-file-iterator* php-gettext* php-pear* php-symfony-yaml*
+  php-text-template* php-timer* php-token-stream* php5* php5-cli*
+  php5-mysqlnd* phpmyadmin* phppgadmin* phpunit* phpunit-mock-object*
+  sudo apt-get install mysql-server apache2 memcached php5-memcached php5-mysqlnd php5-curl php5-json php5-cli libapache2-mod-php5 phpmyadmin phpunit phpunit-mock-object
+ */
+
+// your db connection setup
+class DBConnection {
+  public function __construct($config) {
+    return new mysqli($config['db']['host'], $config['db']['user'], $config['db']['pass'], $config['db']['name'], $config['db']['port']);
+  }
+}
+
+?>
\ No newline at end of file
diff --git a/tests/config.dist.php b/tests/config.dist.php
new file mode 100644
index 00000000..21da7475
--- /dev/null
+++ b/tests/config.dist.php
@@ -0,0 +1,10 @@
+<?php 
+
+// full path to mpos public directory, with trailing slash
+define('BASEPATH', '');
+
+// choose which mpos config to test against, dist or real
+// 0 = dist, 1 = real
+define('DIST_OR_REAL_CONFIG', 1);
+
+?>
\ No newline at end of file
diff --git a/tests/config.php b/tests/config.php
new file mode 100644
index 00000000..82f2ef67
--- /dev/null
+++ b/tests/config.php
@@ -0,0 +1,13 @@
+<?php 
+
+// full path to mpos public directory, with trailing slash
+define('BASEPATH', '/var/www/php-mpos-allbranches/php-mpos/public/');
+
+// choose which config to test against, dist or real
+// 0 = dist, 1 = real
+define('DIST_OR_REAL_CONFIG', 1);
+
+// because php cli defaults are shit, the socket might be wrong
+ini_set('mysqli.default_socket', '/var/run/mysqld/mysqld.sock');
+
+?>
\ No newline at end of file
diff --git a/tests/phpunit.xml b/tests/phpunit.xml
index 6cafbdac..5a0c3765 100644
--- a/tests/phpunit.xml
+++ b/tests/phpunit.xml
@@ -1,5 +1,16 @@
+<phpunit bootstrap="bootstrap.php">
 <testsuites>
-  <testsuite name="SampleTest">
-    <directory>unit/config</directory>
-  </testsuite>
-</testsuites>
\ No newline at end of file
+    <testsuite name="SampleTest">
+      <directory>unit/config</directory>
+    </testsuite>
+    <testsuite name="Security_CSRFToken">
+      <directory>unit/securityregress/Security_CSRFToken.php</directory>
+    </testsuite>
+    <testsuite name="Security_Sessions">
+      <directory>unit/securityregress/Security_Sessions.php</directory>
+    </testsuite>
+    <testsuite name="Security_Tokens">
+      <directory>unit/securityregress/Security_Tokens.php</directory>
+    </testsuite>
+  </testsuites>
+</phpunit>
\ No newline at end of file
diff --git a/tests/unit/config/SampleTest.php b/tests/unit/config/SampleTest.php
index 9b445a57..ae788a29 100644
--- a/tests/unit/config/SampleTest.php
+++ b/tests/unit/config/SampleTest.php
@@ -2,19 +2,14 @@
 
 // these are ONLY here because we're checking config options
 // these should NOT be in a normal unit test
-define('SECURITY', 'so we can check config options');
-define("BASEPATH", "./");
-
-require_once(BASEPATH.'public/include/config/global.inc.dist.php');
-require_once("PHPUnit/Autoload.php");
 
 class TestDistConfig extends PHPUnit_Framework_Testcase {
   /**
-* Test to make sure SALT is sane
-*/
-  function testSalt() {
-    $this->assertNotEmpty(SALT);
-    $this->assertGreaterThan(1, strlen(SALT));
+   * Test to make sure SALT is sane
+   */
+  function testSaltLength() {
+    $this->assertNotEmpty($config['SALT']);
+    $this->assertGreaterThan(1, strlen($config['SALTY']));
   }
 }
 
diff --git a/tests/unit/securityregress/Security_CSRFToken.php b/tests/unit/securityregress/Security_CSRFToken.php
new file mode 100644
index 00000000..a3a0d7f5
--- /dev/null
+++ b/tests/unit/securityregress/Security_CSRFToken.php
@@ -0,0 +1,45 @@
+<?php
+
+class Security_CSRFToken extends PHPUnit_Framework_Testcase {
+  /**
+   * Tests if a CSRF token succeeds for a matching user and type
+   */
+  function testCSRFToken_success() {
+    global $config;
+    global $user;
+    global $csrftoken;
+    
+    // no delay
+    // TODO: simulate delay without a sleep ? test length
+    $created_token = $csrftoken->getBasic($user->getCurrentIP(), 'test-token');
+    $test_token = $csrftoken->checkBasic($user->getCurrentIP(), 'test-token', $created_token);
+    $this->assertTrue($test_token);
+  }
+  
+  /**
+   * Tests if a CSRF token correctly fails
+   */
+  function testCSRFToken_fail() {
+    global $config;
+    global $user;
+    global $csrftoken;
+    
+    // differing user
+    $created_token = $csrftoken->getBasic('not the same', 'test-token');
+    $test_token = $csrftoken->checkBasic($user->getCurrentIP(), 'test-token', $created_token);
+    $this->assertFalse($test_token);
+    
+    // differing type
+    $created_token2 = $csrftoken->getBasic($user->getCurrentIP(), 'not the same');
+    $test_token2 = $csrftoken->checkBasic($user->getCurrentIP(), 'test-token', $created_token2);
+    $this->assertFalse($test_token2);
+    
+    // token slightly shortened
+    $created_token3 = $csrftoken->getBasic($user->getCurrentIP(), 'test-token');
+    $created_token3 = substr($created_token3, 0, (strlen($created_token3)-1));
+    $test_token3 = $csrftoken->checkBasic($user->getCurrentIP(), 'test-token', $created_token3);
+    $this->assertFalse($test_token3);
+  }
+}
+
+?>
\ No newline at end of file
diff --git a/tests/unit/securityregress/Security_Sessions.php b/tests/unit/securityregress/Security_Sessions.php
new file mode 100644
index 00000000..5813f5a1
--- /dev/null
+++ b/tests/unit/securityregress/Security_Sessions.php
@@ -0,0 +1,30 @@
+<?php
+
+class Security_Sessions extends PHPUnit_Framework_Testcase {
+  /**
+   * Tests if our current session checking will throw errors or take a malformed id
+   */
+  function testSessions_destruction_malformed_id() {
+    global $config;
+    
+    $malformed_ids = array(
+        "",
+        "'",
+        "9881o1ke7ia4k5*p1k28e6utg0"
+    );
+    
+    foreach ($malformed_ids as $mid) {
+      session_set_cookie_params(time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
+      $session_start = @session_start();
+      if (!$session_start) {
+        session_destroy();
+        session_regenerate_id(true);
+        session_start();
+      }
+      @setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
+      $this->assertNotEquals($mid, session_id());
+    }
+  }
+}
+
+?>
\ No newline at end of file
diff --git a/tests/unit/securityregress/Security_Tokens.php b/tests/unit/securityregress/Security_Tokens.php
new file mode 100644
index 00000000..4ff8d967
--- /dev/null
+++ b/tests/unit/securityregress/Security_Tokens.php
@@ -0,0 +1,25 @@
+<?php
+
+class Security_Tokens extends PHPUnit_Framework_Testcase {
+  /**
+   * Tests tokens CRUD
+   */
+  function testTokens_CRUD() {
+    global $config;
+    global $mysqli;
+    $mysqli = new DBConnection($config);
+    global $tokentype;
+    global $oToken;
+    // grab token types first so we can test them all
+    $token_types = $tokentype->getAll();
+    
+    foreach ($token_types as $tt) {
+      // create
+      $create_token = $oToken->createToken($tt['name'], 1);
+      $this->assertStringMatchesFormat('%x', $create_token);
+      $this->assertGreaterThan(16, strlen($create_token));
+    }
+  }
+}
+
+?>
\ No newline at end of file