Cambridge Exam Simulator B1, B2, C1, C2

View Index Shtml Camera Verified May 2026

POST /verify-camera
Request body:


  "image": "base64_encoded_frame",
  "session_id": "abc123"

Response:


  "verified": true,
  "token": "eyJhbGciOiJIUzI1NiIs..."

A robust system works like this:

  • Web server (when processing .shtml) calls a verification script:
  • If verified: The script returns an <img> tag pointing to a temporary, expiring URL or base64 image data.
  • If not verified: The page shows an error, logs the failure, and may alert an admin.

    • File: index.shtml

    <!DOCTYPE html>
<html>
<head>
    <title>Security Camera Dashboard</title>
    <meta http-equiv="refresh" content="2">
</head>
<body>
    <h1>Verified Camera Feeds</h1>
    <table>
        <tr>
            <td>Main Gate</td>
            <td><!--#include virtual="/verify?cam=gate" --></td>
        </tr>
        <tr>
            <td>Loading Dock</td>
            <td><!--#include virtual="/verify?cam=dock" --></td>
        </tr>
    </table>
    <p>Last verified: <!--#echo var="DATE_GMT" --> UTC</p>
</body>
</html>

    The /verify endpoint:

    Unlike static .html, an .shtml file allows the web server (Apache, Nginx, IIS) to execute SSI directives before sending the page to the client. This is crucial for verified camera views because:

    curl -s -I http://camera/page.shtml | grep -i "content-type" view index shtml camera verified

    | Component | Recommendation | |-----------|----------------| | Frontend | JavaScript + MediaDevices API (getUserMedia) | | Backend | Node.js / Python / PHP (must support SSI parsing) | | Liveness check | Local or cloud-based (e.g., WebRTC + TensorFlow.js, or send frame to backend with FaceAPI) | | SSI handling | Apache mod_include, Nginx http_si_module, or custom SSI parser | | Fallback | If camera is unavailable or browser unsupported, fallback to alternative MFA (TOTP, etc.) |

    | Risk | Mitigation | |------|-------------| | SSI injection | Disable #exec; validate all user input before including | | Stale verified image | Enforce max-age of 1–2 seconds; require live timestamp | | Man-in-the-middle | Use HTTPS with HSTS; verify camera-to-server connection | | Camera spoofing | Use hardware-based keys (TPM, Secure Element) for signing | | Unauthorized access | Authenticate users before serving .shtml; use X-Frame-Options | POST /verify-camera Request body:

    curl -I http://camera/axis-cgi/mjpg/video.cgi