Complete Phase 1: MVC, DB migrations, Auth, RBAC, Security, and Views

app/Middleware/SecurityHeaders.php

@@ -0,0 +1,46 @@
+<?php
+
+namespace App\Middleware;
+
+use App\Core\Request;
+use App\Core\Response;
+
+class SecurityHeaders implements MiddlewareInterface
+{
+    /**
+     * Add security-hardening headers to the response.
+     */
+    public function handle(Request $request, Response $response, callable $next): void
+    {
+        // Enforce frame options to avoid clickjacking
+        $response->header('X-Frame-Options', 'SAMEORIGIN');
+
+        // Prevent MIME type sniffing
+        $response->header('X-Content-Type-Options', 'nosniff');
+
+        // Referrer policy
+        $response->header('Referrer-Policy', 'no-referrer-when-downgrade');
+
+        // Cross-Site Scripting protection
+        $response->header('X-XSS-Protection', '1; mode=block');
+
+        // HTTP Strict Transport Security (HSTS) - force HTTPS
+        $response->header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
+
+        // Content Security Policy (CSP)
+        // Allow scripts from self, google fonts, CDN js, styles from self/fonts
+        $csp = "default-src 'self'; " .
+               "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; " .
+               "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; " .
+               "font-src 'self' https://fonts.gstatic.com; " .
+               "img-src 'self' data: https:; " .
+               "connect-src 'self'; " .
+               "frame-ancestors 'none'; " .
+               "base-uri 'self'; " .
+               "form-action 'self';";
+               
+        $response->header('Content-Security-Policy', $csp);
+
+        $next();
+    }
+}