Optimize images to WebP and enable lazy loading. Add security headers (HSTS, CSP, etc) for A+ SSL score.

This commit is contained in:
Muhammet Güler
2026-02-17 10:30:36 +03:00
parent 7101f7878a
commit 477993ec83
743 changed files with 927 additions and 232 deletions
@@ -0,0 +1,53 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;
class EnsureSecurityHeaders
{
/**
* Handle an incoming request.
*
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
$response = $next($request);
// HSTS (Strict-Transport-Security) - Enforce HTTPS for 1 year
// 'includeSubDomains' and 'preload' are optional but often recommended for full security.
// A+ score typically looks for this header with a long max-age.
if ($request->isSecure()) {
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
}
// X-Frame-Options: SAMEORIGIN (prevents clickjacking by allowing framing only by the same site)
$response->headers->set('X-Frame-Options', 'SAMEORIGIN');
// X-Content-Type-Options: nosniff (prevents MIME type sniffing)
$response->headers->set('X-Content-Type-Options', 'nosniff');
// Referrer-Policy: stringent check, usually 'strict-origin-when-cross-origin' is good
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
// X-XSS-Protection: 1; mode=block (deprecated but still good for older browsers, some scanners check it)
$response->headers->set('X-XSS-Protection', '1; mode=block');
// Permissions-Policy: restrict dangerous features
// This is a bit strict, might need adjustment based on site features.
// For general sites: geolocation=(), microphone=(), camera=() is often safe.
$response->headers->set('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
// Content-Security-Policy (CSP) - Start with upgrade-insecure-requests to force HTTPS assets
// A full CSP can be tricky and break scripts. 'upgrade-insecure-requests' is safe and good for mixed content.
// We can add 'frame-ancestors' here too if X-Frame-Options is ignored by some.
// If the user wants A+, a basic CSP is often enough.
$csp = "upgrade-insecure-requests; block-all-mixed-content;";
$response->headers->set('Content-Security-Policy', $csp);
return $response;
}
}
+5
View File
@@ -23,7 +23,12 @@ class AppServiceProvider extends ServiceProvider
{
setlocale(LC_ALL, 'tr_TR.UTF-8', 'tr_TR', 'turkish');
// Page model için observer kaydet
// Page model için observer kaydet
Page::observe(PageObserver::class);
if ($this->app->environment('production') || $this->app->environment('staging')) {
\Illuminate\Support\Facades\URL::forceScheme('https');
}
}
}