first commit
This commit is contained in:
43
app/Http/Middleware/SecurityHeaders.php
Normal file
43
app/Http/Middleware/SecurityHeaders.php
Normal file
@@ -0,0 +1,43 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
/**
|
||||
* Установка заголовков безопасности HTTP-ответа.
|
||||
*
|
||||
* Меры ФСТЭК: ЗИС (защита информационной системы), защита от XSS/clickjacking.
|
||||
* HSTS добавляется только для HTTPS-запросов (ИАФ.5, ЗИС.9).
|
||||
*/
|
||||
class SecurityHeaders
|
||||
{
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
$response = $next($request);
|
||||
|
||||
$response->headers->set('X-Frame-Options', 'DENY');
|
||||
$response->headers->set('X-Content-Type-Options', 'nosniff');
|
||||
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
|
||||
$response->headers->set('Permissions-Policy', 'geolocation=(), camera=(), microphone=()');
|
||||
$response->headers->set('Content-Security-Policy', (string) config('security.headers.csp'));
|
||||
$response->headers->set('X-Permitted-Cross-Domain-Policies', 'none');
|
||||
$response->headers->set('Cross-Origin-Opener-Policy', 'same-origin');
|
||||
|
||||
// Не раскрываем используемое ПО (ОДТ/ЗИС).
|
||||
$response->headers->remove('X-Powered-By');
|
||||
$response->headers->remove('Server');
|
||||
|
||||
if ($request->isSecure()) {
|
||||
$maxAge = (int) config('security.headers.hsts_max_age');
|
||||
$response->headers->set(
|
||||
'Strict-Transport-Security',
|
||||
"max-age={$maxAge}; includeSubDomains; preload"
|
||||
);
|
||||
}
|
||||
|
||||
return $response;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user