headers->set('X-Frame-Options', 'DENY'); $response->headers->set('X-Content-Type-Options', 'nosniff'); $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin'); $response->headers->set('Permissions-Policy', 'geolocation=(), camera=(), microphone=()'); $response->headers->set('Content-Security-Policy', (string) config('security.headers.csp')); $response->headers->set('X-Permitted-Cross-Domain-Policies', 'none'); $response->headers->set('Cross-Origin-Opener-Policy', 'same-origin'); // Не раскрываем используемое ПО (ОДТ/ЗИС). $response->headers->remove('X-Powered-By'); $response->headers->remove('Server'); if ($request->isSecure()) { $maxAge = (int) config('security.headers.hsts_max_age'); $response->headers->set( 'Strict-Transport-Security', "max-age={$maxAge}; includeSubDomains; preload" ); } return $response; } }