fix: update CORS and XSS middleware headers for improved security and compliance

Author: dewanakl

app/Middleware/CorsMiddleware.php

@@ -13,10 +13,10 @@ public function handle(Request $request, Closure $next)
     {
         $header = respond()->getHeader();
         $header->set('Access-Control-Allow-Origin', '*');
-        $header->set('Access-Control-Expose-Headers', 'Authorization, Content-Type, Cache-Control, Content-Disposition');
+        $header->set('Access-Control-Expose-Headers', 'Content-Length, Content-Disposition');
 
         $vary = $header->has('Vary') ? explode(', ', $header->get('Vary')) : [];
-        $vary = array_unique([...$vary, 'Accept', 'Origin', 'User-Agent', 'Access-Control-Request-Method', 'Access-Control-Request-Headers']);
+        $vary = array_unique([...$vary, 'Accept', 'Access-Control-Request-Method', 'Access-Control-Request-Headers', 'Origin']);
         $header->set('Vary', join(', ', $vary));
 
         if (!$request->method(Request::OPTIONS)) {
@@ -34,10 +34,7 @@ public function handle(Request $request, Closure $next)
             strtoupper($request->server->get('HTTP_ACCESS_CONTROL_REQUEST_METHOD', $request->method()))
         );
 
-        $header->set(
-            'Access-Control-Allow-Headers',
-            $request->server->get('HTTP_ACCESS_CONTROL_REQUEST_HEADERS', 'Origin, Content-Type, Accept, Authorization, Accept-Language')
-        );
+        $header->set('Access-Control-Allow-Headers', 'Accept, Authorization, Content-Type');
 
         return respond()->setCode(Respond::HTTP_NO_CONTENT);
     }

app/Middleware/XSSMiddleware.php

@@ -18,7 +18,6 @@ public function handle(Request $request, Closure $next)
             ->set('Referrer-Policy', 'strict-origin-when-cross-origin')
             ->set('Content-Security-Policy', 'upgrade-insecure-requests')
             ->set('X-Content-Type-Options', 'nosniff')
-            ->set('X-XSS-Protection', '1; mode=block')
             ->set('X-Frame-Options', 'SAMEORIGIN');
 
         return $next($request);