implemented a lot of security measures

2025-12-09 20:29:32 +01:00
parent 4bdb93c171
commit 928d28fcaf
21 changed files with 953 additions and 134 deletions
--- a/app/Http/Middleware/ResponseSecurityHeaders.php
+++ b/app/Http/Middleware/ResponseSecurityHeaders.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class ResponseSecurityHeaders
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /** @var Response $response */
+        $response = $next($request);
+
+        $headers = [
+            'Referrer-Policy' => 'strict-origin-when-cross-origin',
+            'X-Content-Type-Options' => 'nosniff',
+            'X-Frame-Options' => 'SAMEORIGIN',
+            'Permissions-Policy' => 'camera=(), microphone=(), geolocation=()',
+        ];
+
+        foreach ($headers as $name => $value) {
+            if (! $response->headers->has($name)) {
+                $response->headers->set($name, $value);
+            }
+        }
+
+        if ($request->isSecure() && ! app()->environment(['local', 'testing'])) {
+            $hsts = 'max-age=31536000; includeSubDomains';
+            if (! $response->headers->has('Strict-Transport-Security')) {
+                $response->headers->set('Strict-Transport-Security', $hsts);
+            }
+        }
+
+        return $response;
+    }
+}