header('X-Frame-Options', 'SAMEORIGIN'); // Prevent MIME type sniffing $response->header('X-Content-Type-Options', 'nosniff'); // Referrer policy $response->header('Referrer-Policy', 'no-referrer-when-downgrade'); // Cross-Site Scripting protection $response->header('X-XSS-Protection', '1; mode=block'); // HTTP Strict Transport Security (HSTS) - force HTTPS $response->header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload'); // Content Security Policy (CSP) // Allow scripts from self, google fonts, CDN js, styles from self/fonts $csp = "default-src 'self'; " . "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; " . "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; " . "font-src 'self' https://fonts.gstatic.com; " . "img-src 'self' data: https:; " . "connect-src 'self'; " . "frame-ancestors 'none'; " . "base-uri 'self'; " . "form-action 'self';"; $response->header('Content-Security-Policy', $csp); $next(); } }