Skillget

Open-Gemini-Chatbot-Php

agent
Security Audit
Warn
Health Warn
  • License — License: NOASSERTION
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Low visibility — Only 5 GitHub stars
Code Warn
  • network request — Outbound network request in script.js
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This tool is a self-hosted web interface and PHP proxy for interacting with the Google Gemini API. It provides a simple chatbot UI featuring file uploads, markdown rendering, and theme customization.

Security Assessment
Overall Risk: Low. The tool acts as a secure proxy, keeping your Gemini API key hidden on the backend inside `config.php`. It does not execute shell commands or access unauthorized local system files. It does make outbound network requests via JavaScript (`script.js`) to communicate with its own PHP backend, which is standard behavior for a web application. There are no hardcoded secrets; you must provide your own API key. The developer has proactively integrated multiple web security layers, including CSRF protection, XSS prevention (via DOMPurify), and rate limiting.

Quality Assessment
The project is currently active, with its last push occurring today. However, community visibility and trust are very low, as indicated by only 5 GitHub stars. The repository lacks a clearly defined standard license, marking it as "NOASSERTION," which means you should verify the terms of use before utilizing it for commercial purposes. It is built using vanilla languages (PHP, JS, CSS) with no heavy framework dependencies, making it lightweight and easy to manually review.

Verdict
Safe to use, but review the license terms if you plan to modify or deploy it commercially.
SUMMARY

Secure, lightweight, and modern PHP-based Google Gemini AI chatbot. Features advanced security measures (CSRF, Rate Limiting, CORS) and file upload support.

README.md

Gemini AI Chatbot (PHP)

A secure, self-hosted AI chatbot powered by Google's Gemini API. Built with PHP, vanilla JavaScript, and CSS — no frameworks required. Features real-time typing effects, markdown rendering, code syntax highlighting, file uploads, dark/light theme, and multi-layer security.

Demo: https://ai.arvasin.com.tr/

Ekran görüntüsü 2026-04-01 180930

Türkçe

Özellikler

  • Çok katmanlı güvenlik: CSRF token, Origin/Referer kontrolü, IP bazlı rate limiting
  • Koyu/Açık tema desteği
  • Yazma efekti ile gerçekçi bot yanıtları
  • Markdown desteği: Başlıklar, listeler, tablolar, kod blokları
  • Kod sözdizimi vurgulaması (Highlight.js)
  • Dosya yükleme: Resim, PDF, TXT, CSV
  • XSS koruması (DOMPurify)
  • Mobil uyumlu (responsive) tasarım
  • Hafif: Hiçbir framework gerektirmez

Kurulum

  1. Dosyaları sunucunuza yükleyin (PHP 7.4+ gerekli, curl eklentisi aktif olmalı)

  1. config.php (Satır 10) dosyasını düzenleyin — API anahtarınızı girin:
    define('GEMINI_API_KEY', 'BURAYA_API_ANAHTARINIZI_GİRİN');

    API anahtarınızı Google AI Studio adresinden alabilirsiniz.


  1. api.php dosyasını düzenleyin:
    • (Satır 15) $YOUR_DOMAIN değişkenini kendi domain adınızla değiştirin:
      $YOUR_DOMAIN = 'sizindomain.com';
    • (Satır 172) systemInstruction bölümündeki sistem komutunu özelleştirin:
      $data['systemInstruction'] = [
    'parts' => [
        ['text' => "Kendi özel komutunuzu buraya yazın."]
    ]
];
    • (Satır 198) $GEMINI_MODEL değişkenini istediğiniz modelle değiştirin:
      $GEMINI_MODEL = 'gemini-3.1-flash-lite-preview';

  1. index.php (Satır 5) dosyasını düzenleyin:
    • $YOUR_DOMAIN değişkenini kendi domain adınızla değiştirin:
      $YOUR_DOMAIN = 'sizindomain.com';
    • Sayfa başlığını, karşılama metnini ve placeholder'ı isteğinize göre değiştirin.

  1. .htaccess (Satır 58 ve 67) dosyasını düzenleyin:
    • İlgili satırlardaki yourdomain\.com kısımlarını kendi domain adınızla değiştirin (noktaları \. şeklinde escape etmeyi unutmayın):
      RewriteCond %{HTTP_REFERER} !^https?://(www\.)?sizindomain\.com [NC]

  1. Görselleri değiştirin (isteğe bağlı):
    • logo.png — Bot avatarı ve favicon
    • kullanici.png — Kullanıcı avatarı

Dosya Yapısı

Dosya Açıklama
config.php API anahtarı (gizli, dışarıdan erişilemez)
api.php Backend API proxy'si — güvenlik katmanları + Gemini API iletişimi
index.php Ana sayfa — PHP oturum başlatma + HTML arayüz
script.js Frontend mantığı — sohbet, dosya yükleme, tema
style.css Tüm stiller — koyu/açık tema, markdown, responsive
.htaccess Apache güvenlik kuralları
.user.ini PHP güvenlik ayarları
logo.png Bot avatarı / Favicon
kullanici.png Kullanıcı avatarı

English

Features

  • Multi-layer security: CSRF token, Origin/Referer check, IP-based rate limiting
  • Dark/Light theme toggle
  • Typing effect for realistic bot responses
  • Markdown support: Headings, lists, tables, code blocks
  • Code syntax highlighting (Highlight.js)
  • File upload: Images, PDF, TXT, CSV
  • XSS protection (DOMPurify)
  • Mobile-friendly (responsive) design
  • Lightweight: No frameworks required

Setup

  1. Upload files to your server (PHP 7.4+ required, curl extension must be enabled)

  1. Edit config.php (Line 10) — Enter your API key:
    define('GEMINI_API_KEY', 'YOUR_GEMINI_API_KEY_HERE');

    Get your API key from Google AI Studio.


  1. Edit api.php:
    • (Line 15) Replace $YOUR_DOMAIN with your actual domain:
      $YOUR_DOMAIN = 'yourdomain.com';
    • (Line 172) Customize the system instruction to define your AI's personality:
      $data['systemInstruction'] = [
    'parts' => [
        ['text' => "Your custom system prompt goes here."]
    ]
];
    • (Line 198) Set your preferred Gemini model:
      $GEMINI_MODEL = 'gemini-3.1-flash-lite-preview';

  1. Edit index.php (Line 5):
    • Replace $YOUR_DOMAIN with your actual domain:
      $YOUR_DOMAIN = 'yourdomain.com';
    • Customize the page title, greeting text, and placeholder as needed.

  1. Edit .htaccess (Lines 58 and 67):
    • Replace yourdomain\.com with your actual domain (escape dots with \.):
      RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]

  1. Replace images (optional):
    • logo.png — Bot avatar and favicon
    • kullanici.png — User avatar

File Structure

File Description
config.php API key storage (hidden, not externally accessible)
api.php Backend API proxy — security layers + Gemini API communication
index.php Main page — PHP session init + HTML interface
script.js Frontend logic — chat, file upload, theme
style.css All styles — dark/light theme, markdown, responsive
.htaccess Apache security rules
.user.ini PHP security settings
logo.png Bot avatar / Favicon
kullanici.png User avatar

Security Architecture

User Request
    │
    ├── .htaccess ──── HTTPS redirect, referer check, sensitive file blocking
    │
    ├── api.php
    │   ├── Origin check (CORS)
    │   ├── CSRF token validation
    │   ├── Referer check (2nd layer)
    │   ├── Rate limiting (30 req/hour per IP)
    │   ├── POST-only enforcement
    │   ├── JSON validation
    │   └── Response filtering (text-only output)
    │
    └── config.php ──── API key (blocked from external access)

Available Gemini Models

Model Description
gemini-3.1-flash-lite-preview Fast, cost-effective preview
gemini-2.0-flash Fast and efficient (stable recommended)
gemini-2.5-pro-preview-05-06 Most capable, preview
gemini-2.5-flash-preview-04-17 Latest flash preview

See the full list at Google AI Models.

License

This project is licensed under the MIT License — see the LICENSE file for details.

Original Author: Ahmet Emin Kahraman

Contributing

Contributions, issues, and feature requests are welcome! Feel free to open an issue or submit a pull request.

Reviews (0)

No results found