From 5de01628a633a73e307418246f0396b0aa51208c Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Sat, 25 Aug 2018 10:49:52 +0200
Subject: [PATCH] Expand secure headers.

---
 app/Http/Middleware/SecureHeaders.php | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/app/Http/Middleware/SecureHeaders.php b/app/Http/Middleware/SecureHeaders.php
index 9785f71d4a..7616a5119c 100644
--- a/app/Http/Middleware/SecureHeaders.php
+++ b/app/Http/Middleware/SecureHeaders.php
@@ -60,8 +60,28 @@ class SecureHeaders
             "img-src 'self'",
         ];
 
+        $featurePolicies = [
+            "geolocation 'none'",
+            "midi 'none'",
+            "notifications 'none'",
+            "push 'self'",
+            "sync-xhr 'self'",
+            "microphone 'none'",
+            "camera 'none'",
+            "magnetometer 'none'",
+            "gyroscope 'none'",
+            "speaker 'none'",
+            "vibrate 'none'",
+            "fullscreen 'self'",
+            "payment 'none'",
+        ];
+
         $response->header('X-Frame-Options', 'deny');
         $response->header('Content-Security-Policy', implode('; ', $csp));
+        $response->header('X-XSS-Protection', '1; mode=block');
+        $response->header('X-Content-Type-Options', 'nosniff');
+        $response->header('Referrer-Policy', 'no-referrer');
+        $response->header('Feature-Policy', implode('; ', $featurePolicies));
 
         return $response;
     }