. */ declare(strict_types=1); namespace FireflyIII\Http\Middleware; use Closure; use Illuminate\Http\Request; /** * * Class SecureHeaders */ class SecureHeaders { /** * Handle an incoming request. May not be a limited user (ie. Sandstorm env. or demo user). * * @param \Illuminate\Http\Request $request * @param \Closure $next * @param string|null $guard * * @return mixed */ public function handle(Request $request, Closure $next) { $response = $next($request); $google = ''; $analyticsId = env('ANALYTICS_ID', ''); if ('' !== $analyticsId) { $google = 'https://www.google-analytics.com/analytics.js'; } $csp = [ "default-src 'none'", sprintf("script-src 'self' 'unsafe-eval' 'unsafe-inline' %s", $google), "style-src 'self' 'unsafe-inline'", "base-uri 'self'", "form-action 'self'", "font-src 'self'", "connect-src 'self'", "img-src 'self'", ]; $response->header('X-Frame-Options', 'deny'); $response->header('Content-Security-Policy', implode('; ', $csp)); return $response; } }