added various tests for playwright

app/Http/Middleware/EncryptCookies.php

@@ -0,0 +1,17 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Illuminate\Cookie\Middleware\EncryptCookies as Middleware;
+
+class EncryptCookies extends Middleware
+{
+    /**
+     * The names of the cookies that should not be encrypted.
+     *
+     * @var list<string>
+     */
+    protected $except = [
+        'XSRF-TOKEN',
+    ];
+}

app/Http/Middleware/EnsureXsrfCookie.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureXsrfCookie
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /** @var Response $response */
+        $response = $next($request);
+
+        if ($request->isMethod('GET') && ! $request->cookies->has('XSRF-TOKEN')) {
+            $response->headers->setCookie(
+                cookie(
+                    name: 'XSRF-TOKEN',
+                    value: csrf_token(),
+                    minutes: 120,
+                    path: '/',
+                    domain: null,
+                    secure: $request->isSecure(),
+                    httpOnly: false,
+                    raw: false,
+                    sameSite: 'lax'
+                )
+            );
+        }
+
+        return $response;
+    }
+}

app/Http/Middleware/ResponseSecurityHeaders.php

@@ -26,7 +26,9 @@ class ResponseSecurityHeaders
             }
         }
 
-        if ($request->isSecure() && ! app()->environment(['local', 'testing'])) {
+        $forceHsts = (bool) config('security_headers.force_hsts', false);
+
+        if ($forceHsts || ($request->isSecure() && ! app()->environment(['local', 'testing']))) {
             $hsts = 'max-age=31536000; includeSubDomains';
             if (! $response->headers->has('Strict-Transport-Security')) {
                 $response->headers->set('Strict-Transport-Security', $hsts);