Merge pull request #8 from codebar-ag/main

main/production

Author: StanBarrows

app/Http/Middleware/AddContentSecurityPolicyHeaders.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Support\Facades\Vite;
+
+class AddContentSecurityPolicyHeaders
+{
+    public function handle($request, Closure $next): string
+    {
+        return $next($request)->withHeaders([
+            'Content-Security-Policy' => "script-src 'nonce-".Vite::cspNonce()."'",
+        ]);
+    }
+}

app/Security/Generator/LaravelViteNonceGenerator.php

@@ -0,0 +1,14 @@
+<?php
+
+namespace App\Security\Generator;
+
+use Illuminate\Support\Facades\Vite;
+use Spatie\Csp\Nonce\NonceGenerator;
+
+class LaravelViteNonceGenerator implements NonceGenerator
+{
+    public function generate(): string
+    {
+        return Vite::cspNonce();
+    }
+}

app/Security/Presets/MyCspPreset.php

@@ -0,0 +1,40 @@
+<?php
+
+namespace App\Security\Presets;
+
+use Spatie\Csp\Directive;
+use Spatie\Csp\Keyword;
+use Spatie\Csp\Policy;
+use Spatie\Csp\Preset;
+
+class MyCspPreset implements Preset
+{
+    public function configure(Policy $policy): void
+    {
+        $policy->add(Directive::BASE, Keyword::SELF);
+
+        $policy->add(Directive::CONNECT, Keyword::SELF);
+        $policy->add(Directive::DEFAULT, Keyword::SELF);
+        $policy->add(Directive::FONT, Keyword::SELF);
+        $policy->add(Directive::FORM_ACTION, Keyword::SELF);
+        $policy->add(Directive::IMG, [
+            Keyword::SELF,
+            'data:',
+        ]);
+        $policy->add(Directive::MEDIA, Keyword::SELF);
+        $policy->add(Directive::OBJECT, Keyword::NONE);
+
+        $policy->add(Directive::SCRIPT, Keyword::SELF);
+
+        $policy->add(Directive::STYLE, [
+            Keyword::SELF,
+            Keyword::UNSAFE_INLINE,
+        ]);
+
+        // Fathom Analytics
+        $policy->add(Directive::SCRIPT, 'cdn.usefathom.com');
+        $policy->add(Directive::CONNECT, 'cdn.usefathom.com');
+        $policy->add(Directive::SCRIPT, 'cdn-eu.usefathom.com');
+        $policy->add(Directive::CONNECT, 'cdn-eu.usefathom.com');
+    }
+}

app/Security/SecurityPolicyBasic.php

@@ -1,5 +1,6 @@
 <?php
 
+use App\Http\Middleware\AddContentSecurityPolicyHeaders;
 use App\Http\Middleware\SetLanguage;
 use App\Providers\AppServiceProvider;
 use App\Providers\EventServiceProvider;
@@ -24,6 +25,7 @@
     ->withMiddleware(function (Middleware $middleware) {
         $middleware->web(append: [
             AddCspHeaders::class,
+            // AddContentSecurityPolicyHeaders::class,
             AddFeaturePolicyHeaders::class,
             SetLanguage::class,
             CacheResponse::class,

bootstrap/app.php

@@ -9,18 +9,15 @@
   "license": "MIT",
   "require": {
     "php": "^8.4",
-    "blade-ui-kit/blade-heroicons": "^2.3",
-    "blade-ui-kit/blade-icons": "^1.6",
     "codebar-ag/laravel-flysystem-cloudinary": "^v12.0.1",
     "filament/filament": "^3.3",
     "laravel/framework": "^v12.1.1",
     "laravel/tinker": "^2.10.1",
     "league/flysystem-aws-s3-v3": "^3.28",
     "livewire/livewire": "^3.5",
     "mazedlx/laravel-feature-policy": "^2.2",
-    "owenvoke/blade-fontawesome": "^2.6",
     "sammyjo20/lasso": "3.4.0",
-    "spatie/laravel-csp": "^2.9",
+    "spatie/laravel-csp": "^3.8",
     "spatie/laravel-flash": "^1.10",
     "spatie/laravel-health": "^1.27",
     "spatie/laravel-honeypot": "^4.5",