Optimize images to WebP and enable lazy loading. Add security headers (HSTS, CSP, etc) for A+ SSL score.
This commit is contained in:
@@ -0,0 +1,53 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class EnsureSecurityHeaders
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
*
|
||||
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
|
||||
*/
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
$response = $next($request);
|
||||
|
||||
// HSTS (Strict-Transport-Security) - Enforce HTTPS for 1 year
|
||||
// 'includeSubDomains' and 'preload' are optional but often recommended for full security.
|
||||
// A+ score typically looks for this header with a long max-age.
|
||||
if ($request->isSecure()) {
|
||||
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
|
||||
}
|
||||
|
||||
// X-Frame-Options: SAMEORIGIN (prevents clickjacking by allowing framing only by the same site)
|
||||
$response->headers->set('X-Frame-Options', 'SAMEORIGIN');
|
||||
|
||||
// X-Content-Type-Options: nosniff (prevents MIME type sniffing)
|
||||
$response->headers->set('X-Content-Type-Options', 'nosniff');
|
||||
|
||||
// Referrer-Policy: stringent check, usually 'strict-origin-when-cross-origin' is good
|
||||
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
|
||||
|
||||
// X-XSS-Protection: 1; mode=block (deprecated but still good for older browsers, some scanners check it)
|
||||
$response->headers->set('X-XSS-Protection', '1; mode=block');
|
||||
|
||||
// Permissions-Policy: restrict dangerous features
|
||||
// This is a bit strict, might need adjustment based on site features.
|
||||
// For general sites: geolocation=(), microphone=(), camera=() is often safe.
|
||||
$response->headers->set('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
|
||||
|
||||
// Content-Security-Policy (CSP) - Start with upgrade-insecure-requests to force HTTPS assets
|
||||
// A full CSP can be tricky and break scripts. 'upgrade-insecure-requests' is safe and good for mixed content.
|
||||
// We can add 'frame-ancestors' here too if X-Frame-Options is ignored by some.
|
||||
// If the user wants A+, a basic CSP is often enough.
|
||||
$csp = "upgrade-insecure-requests; block-all-mixed-content;";
|
||||
$response->headers->set('Content-Security-Policy', $csp);
|
||||
|
||||
return $response;
|
||||
}
|
||||
}
|
||||
@@ -23,7 +23,12 @@ class AppServiceProvider extends ServiceProvider
|
||||
{
|
||||
setlocale(LC_ALL, 'tr_TR.UTF-8', 'tr_TR', 'turkish');
|
||||
|
||||
// Page model için observer kaydet
|
||||
// Page model için observer kaydet
|
||||
Page::observe(PageObserver::class);
|
||||
|
||||
if ($this->app->environment('production') || $this->app->environment('staging')) {
|
||||
\Illuminate\Support\Facades\URL::forceScheme('https');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user