feat: enhance security headers and optimize asset loading for improved performance and user experience

This commit is contained in:
Ümit Tunç
2026-05-21 22:00:58 +03:00
parent 6d9ffc808b
commit ddf9640222
6 changed files with 70 additions and 46 deletions
@@ -41,11 +41,14 @@ class EnsureSecurityHeaders
// For general sites: geolocation=(), microphone=(), camera=() is often safe.
$response->headers->set('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
// Cross-Origin-Opener-Policy: isolate browsing context from cross-origin documents
$response->headers->set('Cross-Origin-Opener-Policy', 'same-origin');
// Content-Security-Policy (CSP) - Start with upgrade-insecure-requests to force HTTPS assets
// A full CSP can be tricky and break scripts. 'upgrade-insecure-requests' is safe and good for mixed content.
// We can add 'frame-ancestors' here too if X-Frame-Options is ignored by some.
// If the user wants A+, a basic CSP is often enough.
$csp = "upgrade-insecure-requests; block-all-mixed-content;";
$csp = "upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'self';";
$response->headers->set('Content-Security-Policy', $csp);
return $response;