LotusGuild/tinker_tickets
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
674a427edb7fe3c048d98b4e2cc04efcd60c4d87
tinker_tickets/middleware/SecurityHeadersMiddleware.php
Jared Vititoe fa40010287 Security hardening and performance improvements 
- Add visibility check to attachment downloads (prevents unauthorized access)
- Fix ticket ID collision with uniqueness verification loop
- Harden CSP: replace unsafe-inline with nonce-based script execution
- Add IP-based rate limiting (supplements session-based)
- Add visibility checks to bulk operations
- Validate internal visibility requires groups
- Optimize user activity query (JOINs vs subqueries)
- Update documentation with design decisions and security info

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-28 20:27:15 -05:00

48 lines
1.5 KiB
PHP
Raw Blame History

<?php
/**
* Security Headers Middleware
*
* Applies security-related HTTP headers to all responses.
*/
class SecurityHeadersMiddleware {
private static $nonce = null;
/**
* Generate or retrieve the CSP nonce for this request
*
* @return string The nonce value
*/
public static function getNonce() {
if (self::$nonce === null) {
self::$nonce = base64_encode(random_bytes(16));
}
return self::$nonce;
}
/**
* Apply security headers to the response
*/
public static function apply() {
$nonce = self::getNonce();
// Content Security Policy - restricts where resources can be loaded from
// Using nonce for inline scripts instead of unsafe-inline for better security
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';");
// Prevent clickjacking by disallowing framing
header("X-Frame-Options: DENY");
// Prevent MIME type sniffing
header("X-Content-Type-Options: nosniff");
// Enable XSS filtering in older browsers
header("X-XSS-Protection: 1; mode=block");
// Control referrer information sent with requests
header("Referrer-Policy: strict-origin-when-cross-origin");
// Permissions Policy - disable unnecessary browser features
header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
}
}
Reference in New Issue View Git Blame Copy Permalink