jared
2e450dc01d
P1-A: Fix CSP - add fonts.googleapis.com to style-src, fonts.gstatic.com to font-src
P1-B: CSRF token rotation - add rotateToken() to CsrfMiddleware; bootstrap.php rotates
after successful validation and stores in $GLOBALS['_new_csrf_token']; add
apiRespond() helper to append token to responses; lt.api interceptor in
layout_footer.php auto-updates window.CSRF_TOKEN from responses
P1-C: Styled 403/404 error views with TDS layout instead of raw text; index.php now
uses requireAdmin() helper eliminating 7 duplicated guard blocks (P3-D)
P2-A: Remove duplicate JS-generated keyboard help modal from keyboard-shortcuts.js;
'?' key now routes to static #lt-keys-help modal in footer
P2-B: Asset versioning driven by config ASSET_VERSION key; base.css and base.js get
?v= cache-busting in layout_header.php
P2-C: Add data-theme="dark" to <html> tag to prevent FOUC on light-mode users
P2-E: Escape status value in dashboard.js hover preview class attribute via lt.escHtml()
P2-F: Replace bespoke showLoadingOverlay() with lt-spinner / lt-loading-text from
base.css; add .lt-loading-overlay wrapper CSS to dashboard.css
P2-G: Add keyboard-shortcuts.js to all 7 admin views so J/K nav and ? help work
P3-A: APP_NAME, APP_SUBTITLE, APP_VERSION driven from config.php; layout header/footer
use config values instead of hardcoded strings
P3-G: Replace custom initTableSorting() with lt.sortTable.init() which manages aria-sort
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
49 lines
1.7 KiB
PHP
49 lines
1.7 KiB
PHP
<?php
|
|
/**
|
|
* Security Headers Middleware
|
|
*
|
|
* Applies security-related HTTP headers to all responses.
|
|
*/
|
|
class SecurityHeadersMiddleware {
|
|
private static ?string $nonce = null;
|
|
|
|
/**
|
|
* Generate or retrieve the CSP nonce for this request
|
|
*
|
|
* @return string The nonce value
|
|
*/
|
|
public static function getNonce(): string {
|
|
if (self::$nonce === null) {
|
|
self::$nonce = base64_encode(random_bytes(16));
|
|
}
|
|
return self::$nonce;
|
|
}
|
|
|
|
/**
|
|
* Apply security headers to the response
|
|
*/
|
|
public static function apply(): void {
|
|
$nonce = self::getNonce();
|
|
|
|
// Content Security Policy - restricts where resources can be loaded from
|
|
// Using nonces for scripts to prevent XSS attacks while allowing inline scripts with valid nonces
|
|
// All inline event handlers have been refactored to use addEventListener with data-action attributes
|
|
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; connect-src 'self';");
|
|
|
|
// Prevent clickjacking by disallowing framing
|
|
header("X-Frame-Options: DENY");
|
|
|
|
// Prevent MIME type sniffing
|
|
header("X-Content-Type-Options: nosniff");
|
|
|
|
// Enable XSS filtering in older browsers
|
|
header("X-XSS-Protection: 1; mode=block");
|
|
|
|
// Control referrer information sent with requests
|
|
header("Referrer-Policy: strict-origin-when-cross-origin");
|
|
|
|
// Permissions Policy - disable unnecessary browser features
|
|
header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
|
|
}
|
|
}
|