feat: enhance security headers and optimize asset loading for improved performance and user experience
This commit is contained in:
@@ -41,11 +41,14 @@ class EnsureSecurityHeaders
|
||||
// For general sites: geolocation=(), microphone=(), camera=() is often safe.
|
||||
$response->headers->set('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
|
||||
|
||||
// Cross-Origin-Opener-Policy: isolate browsing context from cross-origin documents
|
||||
$response->headers->set('Cross-Origin-Opener-Policy', 'same-origin');
|
||||
|
||||
// Content-Security-Policy (CSP) - Start with upgrade-insecure-requests to force HTTPS assets
|
||||
// A full CSP can be tricky and break scripts. 'upgrade-insecure-requests' is safe and good for mixed content.
|
||||
// We can add 'frame-ancestors' here too if X-Frame-Options is ignored by some.
|
||||
// If the user wants A+, a basic CSP is often enough.
|
||||
$csp = "upgrade-insecure-requests; block-all-mixed-content;";
|
||||
$csp = "upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'self';";
|
||||
$response->headers->set('Content-Security-Policy', $csp);
|
||||
|
||||
return $response;
|
||||
|
||||
Reference in New Issue
Block a user