tinker_tickets/middleware/SecurityHeadersMiddleware.php

<?php
/**
 * Security Headers Middleware
 *
 * Applies security-related HTTP headers to all responses.
 */
class SecurityHeadersMiddleware {
    private static ?string $nonce = null;

    /**
     * Generate or retrieve the CSP nonce for this request
     *
     * @return string The nonce value
     */
    public static function getNonce(): string {
        if (self::$nonce === null) {
            self::$nonce = base64_encode(random_bytes(16));
        }
        return self::$nonce;
    }

    /**
     * Apply security headers to the response
     */
    public static function apply(): void {
        $nonce = self::getNonce();

        // Content Security Policy - restricts where resources can be loaded from
        // Using nonces for scripts to prevent XSS attacks while allowing inline scripts with valid nonces
        // All inline event handlers have been refactored to use addEventListener with data-action attributes
        header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://cdn.jsdelivr.net;");

        // Prevent clickjacking by disallowing framing
        header("X-Frame-Options: DENY");

        // Prevent MIME type sniffing
        header("X-Content-Type-Options: nosniff");

        // Enable XSS filtering in older browsers
        header("X-XSS-Protection: 1; mode=block");

        // Control referrer information sent with requests
        header("Referrer-Policy: strict-origin-when-cross-origin");

        // Permissions Policy - disable unnecessary browser features
        header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
    }
}