first commit

This commit is contained in:
brusnitsyn
2026-06-24 17:20:43 +09:00
commit 43499acf1c
165 changed files with 25929 additions and 0 deletions

View File

@@ -0,0 +1,43 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
/**
* Установка заголовков безопасности HTTP-ответа.
*
* Меры ФСТЭК: ЗИС (защита информационной системы), защита от XSS/clickjacking.
* HSTS добавляется только для HTTPS-запросов (ИАФ.5, ЗИС.9).
*/
class SecurityHeaders
{
public function handle(Request $request, Closure $next): Response
{
$response = $next($request);
$response->headers->set('X-Frame-Options', 'DENY');
$response->headers->set('X-Content-Type-Options', 'nosniff');
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
$response->headers->set('Permissions-Policy', 'geolocation=(), camera=(), microphone=()');
$response->headers->set('Content-Security-Policy', (string) config('security.headers.csp'));
$response->headers->set('X-Permitted-Cross-Domain-Policies', 'none');
$response->headers->set('Cross-Origin-Opener-Policy', 'same-origin');
// Не раскрываем используемое ПО (ОДТ/ЗИС).
$response->headers->remove('X-Powered-By');
$response->headers->remove('Server');
if ($request->isSecure()) {
$maxAge = (int) config('security.headers.hsts_max_age');
$response->headers->set(
'Strict-Transport-Security',
"max-age={$maxAge}; includeSubDomains; preload"
);
}
return $response;
}
}