implemented a lot of security measures

2025-12-09 20:29:32 +01:00
parent 4bdb93c171
commit 928d28fcaf
21 changed files with 953 additions and 134 deletions
--- a/app/Http/Middleware/ContentSecurityPolicy.php
+++ b/app/Http/Middleware/ContentSecurityPolicy.php
@@ -13,7 +13,7 @@ class ContentSecurityPolicy
    public function handle(Request $request, Closure $next): Response
    {
        $scriptNonce = base64_encode(random_bytes(16));
-        $styleNonce = null;
+        $styleNonce = base64_encode(random_bytes(16));

        $request->attributes->set('csp_script_nonce', $scriptNonce);
        $request->attributes->set('csp_style_nonce', $styleNonce);
@@ -45,7 +45,7 @@ class ContentSecurityPolicy

        $styleSources = [
            "'self'",
-            "'unsafe-inline'",
+            "'nonce-{$styleNonce}'",
            'https:',
        ];

@@ -97,7 +97,9 @@ class ContentSecurityPolicy
            $imgSources[] = $matomoOrigin;
        }

-        if (app()->environment(['local', 'development']) || config('app.debug')) {
+        $isDev = app()->environment(['local', 'development']) || config('app.debug');
+
+        if ($isDev) {
            $devHosts = [
                'http://fotospiel-app.test:5173',
                'http://127.0.0.1:5173',
@@ -134,6 +136,7 @@ class ContentSecurityPolicy
            'form-action' => ["'self'"],
            'base-uri' => ["'self'"],
            'object-src' => ["'none'"],
+            'frame-ancestors' => ["'self'"],
        ];

        $csp = collect($directives)
--- a/app/Http/Middleware/ResponseSecurityHeaders.php
+++ b/app/Http/Middleware/ResponseSecurityHeaders.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class ResponseSecurityHeaders
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /** @var Response $response */
+        $response = $next($request);
+
+        $headers = [
+            'Referrer-Policy' => 'strict-origin-when-cross-origin',
+            'X-Content-Type-Options' => 'nosniff',
+            'X-Frame-Options' => 'SAMEORIGIN',
+            'Permissions-Policy' => 'camera=(), microphone=(), geolocation=()',
+        ];
+
+        foreach ($headers as $name => $value) {
+            if (! $response->headers->has($name)) {
+                $response->headers->set($name, $value);
+            }
+        }
+
+        if ($request->isSecure() && ! app()->environment(['local', 'testing'])) {
+            $hsts = 'max-age=31536000; includeSubDomains';
+            if (! $response->headers->has('Strict-Transport-Security')) {
+                $response->headers->set('Strict-Transport-Security', $hsts);
+            }
+        }
+
+        return $response;
+    }
+}