47 lines
1.6 KiB
PHP
47 lines
1.6 KiB
PHP
<?php
|
|
|
|
namespace App\Middleware;
|
|
|
|
use App\Core\Request;
|
|
use App\Core\Response;
|
|
|
|
class SecurityHeaders implements MiddlewareInterface
|
|
{
|
|
/**
|
|
* Add security-hardening headers to the response.
|
|
*/
|
|
public function handle(Request $request, Response $response, callable $next): void
|
|
{
|
|
// Enforce frame options to avoid clickjacking
|
|
$response->header('X-Frame-Options', 'SAMEORIGIN');
|
|
|
|
// Prevent MIME type sniffing
|
|
$response->header('X-Content-Type-Options', 'nosniff');
|
|
|
|
// Referrer policy
|
|
$response->header('Referrer-Policy', 'no-referrer-when-downgrade');
|
|
|
|
// Cross-Site Scripting protection
|
|
$response->header('X-XSS-Protection', '1; mode=block');
|
|
|
|
// HTTP Strict Transport Security (HSTS) - force HTTPS
|
|
$response->header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
|
|
|
|
// Content Security Policy (CSP)
|
|
// Allow scripts from self, google fonts, CDN js, styles from self/fonts
|
|
$csp = "default-src 'self'; " .
|
|
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; " .
|
|
"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; " .
|
|
"font-src 'self' https://fonts.gstatic.com; " .
|
|
"img-src 'self' data: https:; " .
|
|
"connect-src 'self'; " .
|
|
"frame-ancestors 'none'; " .
|
|
"base-uri 'self'; " .
|
|
"form-action 'self';";
|
|
|
|
$response->header('Content-Security-Policy', $csp);
|
|
|
|
$next();
|
|
}
|
|
}
|