31 lines
1.1 KiB
PHP
31 lines
1.1 KiB
PHP
|
<?php
|
||
|
|
/**
|
||
|
|
* Security Headers Middleware
|
||
|
|
*
|
||
|
|
* Applies security-related HTTP headers to all responses.
|
||
|
|
*/
|
||
|
|
class SecurityHeadersMiddleware {
|
||
|
|
/**
|
||
|
|
* Apply security headers to the response
|
||
|
|
*/
|
||
|
|
public static function apply() {
|
||
|
|
// Content Security Policy - restricts where resources can be loaded from
|
||
|
|
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");
|
||
|
|
|
||
|
|
// Prevent clickjacking by disallowing framing
|
||
|
|
header("X-Frame-Options: DENY");
|
||
|
|
|
||
|
|
// Prevent MIME type sniffing
|
||
|
|
header("X-Content-Type-Options: nosniff");
|
||
|
|
|
||
|
|
// Enable XSS filtering in older browsers
|
||
|
|
header("X-XSS-Protection: 1; mode=block");
|
||
|
|
|
||
|
|
// Control referrer information sent with requests
|
||
|
|
header("Referrer-Policy: strict-origin-when-cross-origin");
|
||
|
|
|
||
|
|
// Permissions Policy - disable unnecessary browser features
|
||
|
|
header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
|
||
|
|
}
|
||
|
|
}
|