53 lines
1.8 KiB
PHP
53 lines
1.8 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Security Headers Middleware
|
|
*
|
|
* Applies security-related HTTP headers to all responses.
|
|
*/
|
|
class SecurityHeadersMiddleware
|
|
{
|
|
private static ?string $nonce = null;
|
|
|
|
/**
|
|
* Generate or retrieve the CSP nonce for this request
|
|
*
|
|
* @return string The nonce value
|
|
*/
|
|
public static function getNonce(): string
|
|
{
|
|
if (self::$nonce === null) {
|
|
self::$nonce = base64_encode(random_bytes(16));
|
|
}
|
|
return self::$nonce;
|
|
}
|
|
|
|
/**
|
|
* Apply security headers to the response
|
|
*/
|
|
public static function apply(): void
|
|
{
|
|
$nonce = self::getNonce();
|
|
|
|
// Content Security Policy - restricts where resources can be loaded from
|
|
// Using nonces for scripts to prevent XSS attacks while allowing inline scripts with valid nonces
|
|
// All inline event handlers have been refactored to use addEventListener with data-action attributes
|
|
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://cdn.jsdelivr.net;");
|
|
|
|
// Prevent clickjacking by disallowing framing
|
|
header("X-Frame-Options: DENY");
|
|
|
|
// Prevent MIME type sniffing
|
|
header("X-Content-Type-Options: nosniff");
|
|
|
|
// Enable XSS filtering in older browsers
|
|
header("X-XSS-Protection: 1; mode=block");
|
|
|
|
// Control referrer information sent with requests
|
|
header("Referrer-Policy: strict-origin-when-cross-origin");
|
|
|
|
// Permissions Policy - disable unnecessary browser features
|
|
header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
|
|
}
|
|
}
|