Jared Vititoe
55209e0b05
- Refactored TicketView.php to use event listeners instead of onclick - Added unsafe-inline to CSP as fallback for legacy handlers in other views - TODO: Complete refactoring of DashboardView and admin views Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
50 lines
1.7 KiB
PHP
50 lines
1.7 KiB
PHP
<?php
|
|
/**
|
|
* Security Headers Middleware
|
|
*
|
|
* Applies security-related HTTP headers to all responses.
|
|
*/
|
|
class SecurityHeadersMiddleware {
|
|
private static $nonce = null;
|
|
|
|
/**
|
|
* Generate or retrieve the CSP nonce for this request
|
|
*
|
|
* @return string The nonce value
|
|
*/
|
|
public static function getNonce() {
|
|
if (self::$nonce === null) {
|
|
self::$nonce = base64_encode(random_bytes(16));
|
|
}
|
|
return self::$nonce;
|
|
}
|
|
|
|
/**
|
|
* Apply security headers to the response
|
|
*/
|
|
public static function apply() {
|
|
$nonce = self::getNonce();
|
|
|
|
// Content Security Policy - restricts where resources can be loaded from
|
|
// Nonces are used for <script> tags, but 'unsafe-inline' is needed for legacy onclick handlers
|
|
// TODO: Refactor all inline event handlers (onclick, etc.) to use addEventListener,
|
|
// then remove 'unsafe-inline' from script-src for full CSP protection
|
|
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");
|
|
|
|
// Prevent clickjacking by disallowing framing
|
|
header("X-Frame-Options: DENY");
|
|
|
|
// Prevent MIME type sniffing
|
|
header("X-Content-Type-Options: nosniff");
|
|
|
|
// Enable XSS filtering in older browsers
|
|
header("X-XSS-Protection: 1; mode=block");
|
|
|
|
// Control referrer information sent with requests
|
|
header("Referrer-Policy: strict-origin-when-cross-origin");
|
|
|
|
// Permissions Policy - disable unnecessary browser features
|
|
header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
|
|
}
|
|
}
|