================================================================ xooa.net — Services Signup & Deployment Guide PHP Proxy Edition (IONOS Shared Hosting) ================================================================ This file covers every external service used by xooa.net, how to sign up, and exactly how to deploy the site securely on IONOS shared hosting so your API keys are never exposed. ---------------------------------------------------------------- HOW THE SECURITY WORKS (read this first) ---------------------------------------------------------------- WITHOUT this setup (insecure): Browser → Serper.dev API (key visible in browser DevTools) WITH this setup (secure): Browser → /api/rank.php on YOUR server → Serper.dev API ↑ API keys live here only, in private/config.php (not publicly accessible) The browser never sees any key. It only ever talks to your own rank.php file, which makes all external API calls on the server side. ---------------------------------------------------------------- SUMMARY TABLE ---------------------------------------------------------------- Service | Required? | Cost | What it provides -------------------------|-----------|-------|------------------ Serper.dev | YES | FREE* | Google rankings Google PageSpeed API | YES | FREE | Performance scores Google Safe Browsing API | Optional | FREE | Malware/hack check Google AdSense | Optional | FREE | Ad revenue allorigins.win (CDN) | NO | FREE | CORS proxy (built-in) * Serper.dev: 2,500 free searches on signup. After that, pay-as-you-go from $1.00 per 1,000 searches. * Google APIs: completely free within generous daily quotas. PageSpeed: 25,000 queries/day. Safe Browsing: 10,000/day. No billing required for either. ================================================================ STEP 1 — Sign Up for Serper.dev (Google Rankings) ================================================================ 1. Go to: https://serper.dev 2. Click "Get Started Free" or "Sign Up" 3. Create an account with your email (no credit card needed) 4. After signup, go to your Dashboard 5. Copy your API Key (looks like: a1b2c3d4e5f6g7h8...) 6. Keep this key — you will paste it in Step 3 below. USAGE TIPS: - The tool checks up to 15 keyword combinations per analysis - Each combination = 1 API call (15 calls per full analysis) - Monitor usage at: https://serper.dev/dashboard - 2,500 free searches = ~166 full analyses before paying ================================================================ STEP 2 — Get a Free Google API Key (PageSpeed + Safe Browsing) ================================================================ ONE Google API key covers BOTH PageSpeed Insights AND Safe Browsing. You only need to do this once. --- 2a. Create a Google Cloud Project --- 1. Go to: https://console.cloud.google.com/ 2. Sign in with your Google account (Gmail works fine) 3. At the top, click the project dropdown > "New Project" 4. Name it something like "xooa-net" 5. Click "Create" and wait a few seconds --- 2b. Enable the PageSpeed Insights API --- 1. In the left menu, go to: APIs & Services > Library 2. In the search box, type: PageSpeed Insights API 3. Click on "PageSpeed Insights API" in the results 4. Click the blue "Enable" button 5. Wait for it to enable (takes about 10 seconds) --- 2c. Enable the Safe Browsing API (optional) --- 1. Go back to: APIs & Services > Library 2. Search for: Safe Browsing API 3. Click "Safe Browsing API" > click "Enable" --- 2d. Create Your API Key --- 1. Go to: APIs & Services > Credentials 2. Click "+ Create Credentials" at the top 3. Choose "API key" 4. Your key is created immediately — copy it now (looks like: AIzaSyB1a2c3d4e5f6g7h8i9j0...) --- 2e. Restrict the Key (Recommended) --- Restricting the key means it only works on your server, so even if someone finds it, they cannot use it elsewhere. 1. Click on the key you just created 2. Under "Application restrictions", choose "IP addresses" 3. Add your IONOS server's IP address (find it in IONOS control panel > Hosting > Overview) 4. Under "API restrictions", choose "Restrict key" 5. Select: PageSpeed Insights API + Safe Browsing API 6. Click Save NOTE: If you are not sure of your server IP, you can skip restriction for now and add it later. The key will still work without restrictions. ================================================================ STEP 3 — Add Your Keys to config.php ================================================================ 1. Open the file: private/config.php (included in the zip you downloaded) 2. Find and replace each placeholder: SERPER KEY (required for rankings): define('SERPER_API_KEY', 'YOUR_SERPER_API_KEY_HERE'); → Replace with your key from serper.dev SAFE BROWSING KEY (optional, enables malware check): define('SAFE_BROWSING_API_KEY', 'YOUR_SAFE_BROWSING_API_KEY_HERE'); → Replace with your Google API key from Step 2 PAGESPEED KEY (required for performance scores): define('PAGESPEED_API_KEY', 'YOUR_PAGESPEED_API_KEY_HERE'); → Replace with your Google API key from Step 2 → NOTE: This is the SAME key as Safe Browsing. You can paste the same key in both fields. 3. Save the file. EXAMPLE of a filled-in config.php: define('SERPER_API_KEY', 'a1b2c3d4e5f6g7h8...'); define('SAFE_BROWSING_API_KEY','AIzaSyB1a2c3d4...'); define('PAGESPEED_API_KEY', 'AIzaSyB1a2c3d4...'); ← same key ================================================================ STEP 4 — Understand Your IONOS Folder Structure ================================================================ On IONOS shared hosting, when you connect via FTP you land directly in your web root. The private/ folder goes INSIDE the web root but is protected by .htaccess from web access. Your folder structure should look like this: / (your FTP root = public web root) ├── index.html ├── privacy.html ├── contact.html ├── signup-services.txt ← do NOT upload this to the server ├── css/ │ └── style.css ├── js/ │ └── app.js ├── api/ │ ├── rank.php │ └── .htaccess ← disables directory listing └── private/ ├── config.php ← API keys here (protected by .htaccess) └── .htaccess ← blocks all web access to this folder The private/.htaccess file contains "Deny from all" which prevents anyone from accessing config.php via a browser URL, while still allowing rank.php to read it on the server. ================================================================ STEP 5 — Upload Files via FTP ================================================================ Connect to your IONOS hosting via FTP (FileZilla recommended, free download at https://filezilla-project.org/). Your FTP credentials are in your IONOS control panel under: Hosting > Webspace > FTP Access UPLOAD ALL FILES to your FTP root: PUBLIC FILES (upload to FTP root): ✓ index.html ✓ privacy.html ✓ contact.html ✓ css/style.css ✓ js/app.js ✓ api/rank.php ✓ api/.htaccess PRIVATE FILES (upload to private/ folder in FTP root): ✓ private/config.php ← paste your keys in here first! ✓ private/.htaccess ← upload alongside config.php DO NOT UPLOAD: ✗ signup-services.txt ← keep this on your computer only ================================================================ STEP 6 — Test the Site ================================================================ 1. Visit https://xooa.net/api/rank.php in your browser You should see: {"error":"Method not allowed. Use POST."} This confirms the proxy is running and config.php was found. If you see "Server configuration missing" — config.php was not found. Check that private/ folder is in the right place. 2. Visit https://xooa.net and enter a URL to analyze. 3. After analysis, check each section: - Rankings: should show real position numbers (not "Demo data") - Performance: should show real PageSpeed scores (not 0) - Security: Safe Browsing check should show "Safe" or threats 4. Open browser DevTools (F12) > Network tab Find the request to /api/rank.php — confirm NO API key is visible anywhere in the request. The key is on the server. IF PAGESPEED SCORES SHOW 0 OR ERROR: - Check that PAGESPEED_API_KEY is set in config.php - Check that PageSpeed Insights API is enabled in Google Cloud - Visit https://console.cloud.google.com/ > APIs & Services > Dashboard to confirm the API is enabled and getting calls IF RANKINGS SHOW "Demo data": - Check that SERPER_API_KEY is set in config.php - Visit https://serper.dev/dashboard to confirm key is active ================================================================ STEP 7 — Sign Up for Google AdSense (Optional) ================================================================ ELIGIBILITY (before applying): - Site must be live and publicly accessible - Must have original, useful content - Must be 18 years or older - Must comply with Google content policies SIGNUP STEPS: 1. Go to: https://adsense.google.com/start/ 2. Click "Get started" 3. Sign in with your Google account 4. Enter your website URL: https://xooa.net 5. Google will review your site (can take 1–14 days) 6. Once approved, create ad units and copy your Publisher ID WHAT TO REPLACE IN THE HTML FILES: In index.html, privacy.html, and contact.html: Replace: ca-pub-XXXXXXXXXXXXXXXX With: your real Publisher ID (e.g. ca-pub-1234567890123456) Replace: data-ad-slot="XXXXXXXXXX" With: your real ad slot ID (e.g. data-ad-slot="9876543210") There are 6 ad slots total across the 3 HTML files. ADSENSE HELP: https://support.google.com/adsense/ ================================================================ RATE LIMITING (optional but recommended) ================================================================ The proxy includes built-in rate limiting to prevent abuse. By default it allows 20 requests per IP per hour. To change this, edit private/config.php: define('RATE_LIMIT_PER_HOUR', 20); ← change this number define('RATE_LIMIT_PER_HOUR', 0); ← set to 0 to disable ================================================================ QUICK CHECKLIST ================================================================ SERPER.DEV (Google Rankings): [ ] Sign up at https://serper.dev [ ] Copy your API key from the dashboard [ ] Paste into private/config.php as SERPER_API_KEY GOOGLE API KEY (PageSpeed + Safe Browsing): [ ] Go to https://console.cloud.google.com/ [ ] Create a project (e.g. "xooa-net") [ ] Enable "PageSpeed Insights API" [ ] Enable "Safe Browsing API" (optional) [ ] Create an API key under Credentials [ ] Paste into private/config.php as PAGESPEED_API_KEY [ ] Paste the same key as SAFE_BROWSING_API_KEY (optional) DEPLOYMENT: [ ] Upload all public files to FTP root [ ] Upload private/config.php and private/.htaccess to FTP root [ ] Visit https://xooa.net/api/rank.php — confirm "Method not allowed" [ ] Run a test analysis and confirm real data appears [ ] Confirm no API keys visible in browser DevTools ADSENSE (when site has content): [ ] Apply at https://adsense.google.com/start/ [ ] After approval, replace publisher ID and slot IDs in HTML files ================================================================ SUPPORT & QUESTIONS ================================================================ For questions about the site, use the Contact page: https://xooa.net/contact.html Serper.dev support: https://serper.dev/support Google Cloud console: https://console.cloud.google.com/ Google PageSpeed docs: https://developers.google.com/speed/docs/insights/v5/get-started Google Safe Browsing docs: https://developers.google.com/safe-browsing/v4/get-started AdSense support: https://support.google.com/adsense/ IONOS FTP help: https://www.ionos.com/help/hosting/ftp/ FileZilla (free FTP client): https://filezilla-project.org/ ================================================================ END OF FILE ================================================================