Files
laravel-gost-template/app/Http/Middleware/SecurityHeaders.php
2026-06-24 17:20:43 +09:00

44 lines
1.6 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
/**
* Установка заголовков безопасности HTTP-ответа.
*
* Меры ФСТЭК: ЗИС (защита информационной системы), защита от XSS/clickjacking.
* HSTS добавляется только для HTTPS-запросов (ИАФ.5, ЗИС.9).
*/
class SecurityHeaders
{
public function handle(Request $request, Closure $next): Response
{
$response = $next($request);
$response->headers->set('X-Frame-Options', 'DENY');
$response->headers->set('X-Content-Type-Options', 'nosniff');
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
$response->headers->set('Permissions-Policy', 'geolocation=(), camera=(), microphone=()');
$response->headers->set('Content-Security-Policy', (string) config('security.headers.csp'));
$response->headers->set('X-Permitted-Cross-Domain-Policies', 'none');
$response->headers->set('Cross-Origin-Opener-Policy', 'same-origin');
// Не раскрываем используемое ПО (ОДТ/ЗИС).
$response->headers->remove('X-Powered-By');
$response->headers->remove('Server');
if ($request->isSecure()) {
$maxAge = (int) config('security.headers.hsts_max_age');
$response->headers->set(
'Strict-Transport-Security',
"max-age={$maxAge}; includeSubDomains; preload"
);
}
return $response;
}
}