soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

implemented a lot of security measures

Browse Source
This commit is contained in:
Codex Agent
2025-12-09 20:29:32 +01:00
parent 4bdb93c171
commit 928d28fcaf
21 changed files with 953 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/Http/Middleware/ContentSecurityPolicy.php
View File

@@ -13,7 +13,7 @@ class ContentSecurityPolicy
public function handle(Request $request, Closure $next): Response
{
$scriptNonce = base64_encode(random_bytes(16));
$styleNonce = null;
$styleNonce = base64_encode(random_bytes(16));
$request->attributes->set('csp_script_nonce', $scriptNonce);
$request->attributes->set('csp_style_nonce', $styleNonce);
@@ -45,7 +45,7 @@ class ContentSecurityPolicy
$styleSources = [
"'self'",
"'unsafe-inline'",
"'nonce-{$styleNonce}'",
'https:',
];
@@ -97,7 +97,9 @@ class ContentSecurityPolicy
$imgSources[] = $matomoOrigin;
}
if (app()->environment(['local', 'development']) || config('app.debug')) {
$isDev = app()->environment(['local', 'development']) || config('app.debug');
if ($isDev) {
$devHosts = [
'http://fotospiel-app.test:5173',
'http://127.0.0.1:5173',
@@ -134,6 +136,7 @@ class ContentSecurityPolicy
'form-action' => ["'self'"],
'base-uri' => ["'self'"],
'object-src' => ["'none'"],
'frame-ancestors' => ["'self'"],
];
$csp = collect($directives)