jonny/jonnybarnes.uk
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases 5 Packages Wiki Activity Actions
jonnybarnes.uk/app/Http/Middleware/CSPHeader.php
Jonny Barnes f35e2b4f15 Add the CSP headers 
Squashed commit of the following:

commit 468945826621d2e586f7e5fa773623c4accc316a
Author: Jonny Barnes <jonny@jonnybarnes.uk>
Date:   Fri Mar 2 16:42:30 2018 +0000

    Update changelog

commit 36c6edce091c41861879a982e6ad250b395abbcf
Author: Jonny Barnes <jonny@jonnybarnes.uk>
Date:   Fri Mar 2 16:42:23 2018 +0000

    Add a test

commit ef9d7b564f8ea4f4528c42f411c14ddfaa132082
Author: Jonny Barnes <jonny@jonnybarnes.uk>
Date:   Fri Mar 2 16:42:13 2018 +0000

    Apply the CSPHeader middleware to all `web` requests

commit 737bfca3a6b446d52c0d0a8cc1b7b1c422876c0b
Author: Jonny Barnes <jonny@jonnybarnes.uk>
Date:   Fri Mar 2 16:41:45 2018 +0000

    Add a CSP header to a response, as well as the Report-To header
2018-03-02 16:46:45 +00:00

46 lines
2 KiB
PHP
Raw Blame History

<?php
namespace App\Http\Middleware;
use Closure;
class CSPHeader
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
// headers have to be single-line strings,
// so we concat multiple lines
return $next($request)
->header(
'Content-Security-Policy',
"default-src 'self'; " .
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://api.mapbox.com https://analytics.jmb.lv blob:; " .
"style-src 'self' 'unsafe-inline' https://api.mapbox.com https://fonts.googleapis.com use.typekit.net p.typekit.net; " .
"img-src 'self' data: blob: https://pbs.twimg.com https://api.mapbox.com https://*.tiles.mapbox.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com analytics.jmb.lv https://*.4sqi.net https://upload.wikimedia.org p.typekit.net; " .
"font-src 'self' https://fonts.gstatic.com use.typekit.net fonts.typekit.net; " .
"connect-src 'self' https://api.mapbox.com https://*.tiles.mapbox.com performance.typekit.net data: blob:; " .
"worker-src 'self' blob:; " .
"frame-src 'self' https://www.youtube.com blob:; " .
"child-src 'self' blob:; " .
"upgrade-insecure-requests; " .
"block-all-mixed-content; " .
"report-to csp-endpoint;" .
"report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;"
)
->header(
'Report-To',
"{" .
"'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " .
"'group': 'csp-endpoint'," .
"'max-age': 10886400" .
"}"
);
}
}
Reference in a new issue View git blame Copy permalink