middleware/SecurityHeadersMiddleware.php

<?php
/**
 * Security Headers Middleware
 *
 * Applies security-related HTTP headers to all responses.
 */
class SecurityHeadersMiddleware {
    private static ?string $nonce = null;

    /**
     * Generate or retrieve the CSP nonce for this request
     *
     * @return string The nonce value
     */
    public static function getNonce(): string {
        if (self::$nonce === null) {
            self::$nonce = base64_encode(random_bytes(16));
        }
        return self::$nonce;
    }

    /**
     * Apply security headers to the response
     */
    public static function apply(): void {
        $nonce = self::getNonce();

        // Content Security Policy - restricts where resources can be loaded from
        // Using nonces for scripts to prevent XSS attacks while allowing inline scripts with valid nonces
        // All inline event handlers have been refactored to use addEventListener with data-action attributes
        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");

        // Prevent clickjacking by disallowing framing
        header("X-Frame-Options: DENY");

        // Prevent MIME type sniffing
        header("X-Content-Type-Options: nosniff");

        // Enable XSS filtering in older browsers
        header("X-XSS-Protection: 1; mode=block");

        // Control referrer information sent with requests
        header("Referrer-Policy: strict-origin-when-cross-origin");

        // Permissions Policy - disable unnecessary browser features
        header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
    }
}
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`<?php`
			`/**`
			`* Security Headers Middleware`
			`*`
			`* Applies security-related HTTP headers to all responses.`
			`*/`
			`class SecurityHeadersMiddleware {`
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 11:04:36 -05:00			`private static ?string $nonce = null;`
Security hardening and performance improvements - Add visibility check to attachment downloads (prevents unauthorized access) - Fix ticket ID collision with uniqueness verification loop - Harden CSP: replace unsafe-inline with nonce-based script execution - Add IP-based rate limiting (supplements session-based) - Add visibility checks to bulk operations - Validate internal visibility requires groups - Optimize user activity query (JOINs vs subqueries) - Update documentation with design decisions and security info Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 20:27:15 -05:00
			`/**`
			`* Generate or retrieve the CSP nonce for this request`
			`*`
			`* @return string The nonce value`
			`*/`
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 11:04:36 -05:00			`public static function getNonce(): string {`
Security hardening and performance improvements - Add visibility check to attachment downloads (prevents unauthorized access) - Fix ticket ID collision with uniqueness verification loop - Harden CSP: replace unsafe-inline with nonce-based script execution - Add IP-based rate limiting (supplements session-based) - Add visibility checks to bulk operations - Validate internal visibility requires groups - Optimize user activity query (JOINs vs subqueries) - Update documentation with design decisions and security info Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 20:27:15 -05:00			`if (self::$nonce === null) {`
			`self::$nonce = base64_encode(random_bytes(16));`
			`}`
			`return self::$nonce;`
			`}`

Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`/**`
			`* Apply security headers to the response`
			`*/`
Add PHP 7.4+ type hints to helpers, models, and middleware Added strict typing with parameter types, return types, and property types across all core classes: - helpers: Database, ErrorHandler, CacheHelper - models: TicketModel, UserModel, WorkflowModel, TemplateModel, UserPreferencesModel - middleware: RateLimitMiddleware, CsrfMiddleware, SecurityHeadersMiddleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-29 11:04:36 -05:00			`public static function apply(): void {`
Security hardening and performance improvements - Add visibility check to attachment downloads (prevents unauthorized access) - Fix ticket ID collision with uniqueness verification loop - Harden CSP: replace unsafe-inline with nonce-based script execution - Add IP-based rate limiting (supplements session-based) - Add visibility checks to bulk operations - Validate internal visibility requires groups - Optimize user activity query (JOINs vs subqueries) - Update documentation with design decisions and security info Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-28 20:27:15 -05:00			`$nonce = self::getNonce();`

Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`// Content Security Policy - restricts where resources can be loaded from`
Harden CSP by removing unsafe-inline for scripts Refactored all inline event handlers (onclick, onchange, onsubmit) to use addEventListener with data-action attributes and event delegation pattern. Changes: - views/.php: Replaced inline handlers with data-action attributes - views/admin/.php: Same refactoring for all admin views - assets/js/dashboard.js: Added event delegation for bulk/quick action modals - assets/js/ticket.js: Added event delegation for dynamic elements - assets/js/markdown.js: Refactored toolbar button handlers - assets/js/keyboard-shortcuts.js: Refactored modal close button - SecurityHeadersMiddleware.php: Enabled strict CSP with nonces The CSP now uses script-src 'self' 'nonce-{nonce}' instead of 'unsafe-inline', significantly improving XSS protection. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 13:15:55 -05:00			`// Using nonces for scripts to prevent XSS attacks while allowing inline scripts with valid nonces`
			`// All inline event handlers have been refactored to use addEventListener with data-action attributes`
			`header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");`
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00
			`// Prevent clickjacking by disallowing framing`
			`header("X-Frame-Options: DENY");`

			`// Prevent MIME type sniffing`
			`header("X-Content-Type-Options: nosniff");`

			`// Enable XSS filtering in older browsers`
			`header("X-XSS-Protection: 1; mode=block");`

			`// Control referrer information sent with requests`
			`header("Referrer-Policy: strict-origin-when-cross-origin");`

			`// Permissions Policy - disable unnecessary browser features`
			`header("Permissions-Policy: geolocation=(), microphone=(), camera=()");`
			`}`
			`}`