middleware/SecurityHeadersMiddleware.php

<?php
/**
 * Security Headers Middleware
 *
 * Applies security-related HTTP headers to all responses.
 */
class SecurityHeadersMiddleware {
    private static $nonce = null;

    /**
     * Generate or retrieve the CSP nonce for this request
     *
     * @return string The nonce value
     */
    public static function getNonce() {
        if (self::$nonce === null) {
            self::$nonce = base64_encode(random_bytes(16));
        }
        return self::$nonce;
    }

    /**
     * Apply security headers to the response
     */
    public static function apply() {
        $nonce = self::getNonce();

        // Content Security Policy - restricts where resources can be loaded from
        // Nonces are used for <script> tags, but 'unsafe-inline' is needed for legacy onclick handlers
        // TODO: Refactor all inline event handlers (onclick, etc.) to use addEventListener,
        //       then remove 'unsafe-inline' from script-src for full CSP protection
        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");

        // Prevent clickjacking by disallowing framing
        header("X-Frame-Options: DENY");

        // Prevent MIME type sniffing
        header("X-Content-Type-Options: nosniff");

        // Enable XSS filtering in older browsers
        header("X-XSS-Protection: 1; mode=block");

        // Control referrer information sent with requests
        header("Referrer-Policy: strict-origin-when-cross-origin");

        // Permissions Policy - disable unnecessary browser features
        header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
    }
}
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`<?php`
			`/**`
			`* Security Headers Middleware`
			`*`
			`* Applies security-related HTTP headers to all responses.`
			`*/`
			`class SecurityHeadersMiddleware {`
Security hardening and performance improvements 2026-01-28 20:27:15 -05:00			`private static $nonce = null;`

			`/**`
			`* Generate or retrieve the CSP nonce for this request`
			`*`
			`* @return string The nonce value`
			`*/`
			`public static function getNonce() {`
			`if (self::$nonce === null) {`
			`self::$nonce = base64_encode(random_bytes(16));`
			`}`
			`return self::$nonce;`
			`}`

Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`/**`
			`* Apply security headers to the response`
			`*/`
			`public static function apply() {`
Security hardening and performance improvements 2026-01-28 20:27:15 -05:00			`$nonce = self::getNonce();`

Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00			`// Content Security Policy - restricts where resources can be loaded from`
Fix CSP blocking inline handlers - add unsafe-inline fallback 2026-01-29 10:42:09 -05:00			`// Nonces are used for <script> tags, but 'unsafe-inline' is needed for legacy onclick handlers`
			`// TODO: Refactor all inline event handlers (onclick, etc.) to use addEventListener,`
			`// then remove 'unsafe-inline' from script-src for full CSP protection`
			`header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");`
Implement comprehensive improvement plan (Phases 1-6) 2026-01-20 09:55:01 -05:00
			`// Prevent clickjacking by disallowing framing`
			`header("X-Frame-Options: DENY");`

			`// Prevent MIME type sniffing`
			`header("X-Content-Type-Options: nosniff");`

			`// Enable XSS filtering in older browsers`
			`header("X-XSS-Protection: 1; mode=block");`

			`// Control referrer information sent with requests`
			`header("Referrer-Policy: strict-origin-when-cross-origin");`

			`// Permissions Policy - disable unnecessary browser features`
			`header("Permissions-Policy: geolocation=(), microphone=(), camera=()");`
			`}`
			`}`