jonnybarnes.uk/app/Http/Middleware/CSPHeader.php

<?php

namespace App\Http\Middleware;

use Closure;

class CSPHeader
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        // headers have to be single-line strings,
        // so we concat multiple lines
        return $next($request)
            ->header(
                'Content-Security-Policy',
                "default-src 'self'; " .
                "script-src 'self' \
'unsafe-inline' \
'unsafe-eval' \
https://api.mapbox.com \
https://analytics.jmb.lv \
blob:; " .
                "style-src 'self' \
'unsafe-inline' \
https://api.mapbox.com \
https://fonts.googleapis.com \
use.typekit.net \
p.typekit.net; " .
                "img-src 'self' \
data: \
blob: \
https://pbs.twimg.com \
https://api.mapbox.com \
https://*.tiles.mapbox.com \
https://jbuk-media.s3-eu-west-1.amazonaws.com \
https://secure.gravatar.com \
https://graph.facebook.com \
*.fbcdn.net \
https://*.cdninstagram.com \
analytics.jmb.lv \
https://*.4sqi.net \
https://upload.wikimedia.org \
p.typekit.net; " .
                "font-src 'self' \
https://fonts.gstatic.com \
use.typekit.net \
fonts.typekit.net; " .
                "connect-src 'self' \
https://api.mapbox.com \
https://*.tiles.mapbox.com \
performance.typekit.net \
data: \
blob:; " .
                "worker-src 'self' blob:; " .
                "frame-src 'self' https://www.youtube.com blob:; " .
                "child-src 'self' blob:; " .
                'upgrade-insecure-requests; ' .
                'block-all-mixed-content; ' .
                'report-to csp-endpoint; ' .
                'report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;'
            )
            ->header(
                'Report-To',
                '{' .
                    "'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " .
                    "'group': 'csp-endpoint'," .
                    "'max-age': 10886400" .
                '}'
            );
    }
}
Add the CSP headers Squashed commit of the following: commit 468945826621d2e586f7e5fa773623c4accc316a Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:30 2018 +0000 Update changelog commit 36c6edce091c41861879a982e6ad250b395abbcf Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:23 2018 +0000 Add a test commit ef9d7b564f8ea4f4528c42f411c14ddfaa132082 Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:13 2018 +0000 Apply the CSPHeader middleware to all `web` requests commit 737bfca3a6b446d52c0d0a8cc1b7b1c422876c0b Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:41:45 2018 +0000 Add a CSP header to a response, as well as the Report-To header 2018-03-02 16:46:45 +00:00			`<?php`

			`namespace App\Http\Middleware;`

			`use Closure;`

			`class CSPHeader`
			`{`
			`/**`
			`* Handle an incoming request.`
			`*`
			`* @param \Illuminate\Http\Request $request`
			`* @param \Closure $next`
			`* @return mixed`
			`*/`
			`public function handle($request, Closure $next)`
			`{`
			`// headers have to be single-line strings,`
			`// so we concat multiple lines`
			`return $next($request)`
			`->header(`
			`'Content-Security-Policy',`
			`"default-src 'self'; " .`
Shorten some lines to less than 120 chars 2018-03-02 17:47:20 +00:00			`"script-src 'self' \`
			`'unsafe-inline' \`
			`'unsafe-eval' \`
			`https://api.mapbox.com \`
			`https://analytics.jmb.lv \`
			`blob:; " .`
			`"style-src 'self' \`
			`'unsafe-inline' \`
			`https://api.mapbox.com \`
			`https://fonts.googleapis.com \`
			`use.typekit.net \`
			`p.typekit.net; " .`
			`"img-src 'self' \`
			`data: \`
			`blob: \`
			`https://pbs.twimg.com \`
			`https://api.mapbox.com \`
			`https://*.tiles.mapbox.com \`
			`https://jbuk-media.s3-eu-west-1.amazonaws.com \`
			`https://secure.gravatar.com \`
			`https://graph.facebook.com \`
			`*.fbcdn.net \`
			`https://*.cdninstagram.com \`
			`analytics.jmb.lv \`
			`https://*.4sqi.net \`
			`https://upload.wikimedia.org \`
			`p.typekit.net; " .`
			`"font-src 'self' \`
			`https://fonts.gstatic.com \`
			`use.typekit.net \`
			`fonts.typekit.net; " .`
			`"connect-src 'self' \`
			`https://api.mapbox.com \`
			`https://*.tiles.mapbox.com \`
			`performance.typekit.net \`
			`data: \`
			`blob:; " .`
Add the CSP headers Squashed commit of the following: commit 468945826621d2e586f7e5fa773623c4accc316a Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:30 2018 +0000 Update changelog commit 36c6edce091c41861879a982e6ad250b395abbcf Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:23 2018 +0000 Add a test commit ef9d7b564f8ea4f4528c42f411c14ddfaa132082 Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:13 2018 +0000 Apply the CSPHeader middleware to all `web` requests commit 737bfca3a6b446d52c0d0a8cc1b7b1c422876c0b Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:41:45 2018 +0000 Add a CSP header to a response, as well as the Report-To header 2018-03-02 16:46:45 +00:00			`"worker-src 'self' blob:; " .`
			`"frame-src 'self' https://www.youtube.com blob:; " .`
			`"child-src 'self' blob:; " .`
Only use double-quotes when necessary 2018-03-02 17:21:36 +00:00			`'upgrade-insecure-requests; ' .`
			`'block-all-mixed-content; ' .`
			`'report-to csp-endpoint; ' .`
			`'report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;'`
Add the CSP headers Squashed commit of the following: commit 468945826621d2e586f7e5fa773623c4accc316a Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:30 2018 +0000 Update changelog commit 36c6edce091c41861879a982e6ad250b395abbcf Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:23 2018 +0000 Add a test commit ef9d7b564f8ea4f4528c42f411c14ddfaa132082 Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:13 2018 +0000 Apply the CSPHeader middleware to all `web` requests commit 737bfca3a6b446d52c0d0a8cc1b7b1c422876c0b Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:41:45 2018 +0000 Add a CSP header to a response, as well as the Report-To header 2018-03-02 16:46:45 +00:00			`)`
			`->header(`
			`'Report-To',`
Only use double-quotes when necessary 2018-03-02 17:21:36 +00:00			`'{' .`
Add the CSP headers Squashed commit of the following: commit 468945826621d2e586f7e5fa773623c4accc316a Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:30 2018 +0000 Update changelog commit 36c6edce091c41861879a982e6ad250b395abbcf Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:23 2018 +0000 Add a test commit ef9d7b564f8ea4f4528c42f411c14ddfaa132082 Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:13 2018 +0000 Apply the CSPHeader middleware to all `web` requests commit 737bfca3a6b446d52c0d0a8cc1b7b1c422876c0b Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:41:45 2018 +0000 Add a CSP header to a response, as well as the Report-To header 2018-03-02 16:46:45 +00:00			`"'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " .`
			`"'group': 'csp-endpoint'," .`
			`"'max-age': 10886400" .`
Only use double-quotes when necessary 2018-03-02 17:21:36 +00:00			`'}'`
Add the CSP headers Squashed commit of the following: commit 468945826621d2e586f7e5fa773623c4accc316a Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:30 2018 +0000 Update changelog commit 36c6edce091c41861879a982e6ad250b395abbcf Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:23 2018 +0000 Add a test commit ef9d7b564f8ea4f4528c42f411c14ddfaa132082 Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:13 2018 +0000 Apply the CSPHeader middleware to all `web` requests commit 737bfca3a6b446d52c0d0a8cc1b7b1c422876c0b Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:41:45 2018 +0000 Add a CSP header to a response, as well as the Report-To header 2018-03-02 16:46:45 +00:00			`);`
			`}`
			`}`