Merge pull request #489 from dotkernel/issue-487

Issue #487: Added security headers

Author: alexmerlin

config/autoload/response-header.global.php

@@ -8,20 +8,42 @@
          * Global headers - applied to all routes
          */
         '*' => [
-            'permissions-policy' => [
+            'permissions-policy'     => [
                 'value'     => 'interest-cohort=()',
                 'overwrite' => true,
             ],
+            'X-Content-Type-Options' => [
+                'value'     => 'nosniff',
+                'overwrite' => true,
+            ],
+            'Referrer-Policy'        => [
+                'value'     => 'no-referrer',
+                'overwrite' => true,
+            ],
         ],
 
         /**
          * Route-specific headers
          */
-//        'route-name' => [
-//            'header-name' => [
-//                'value' => 'header-value',
-//                'overwrite' => true,
-//            ]
-//        ],
+        'security::generate-token' => [
+            'Cache-Control' => [
+                'value'     => 'no-store',
+                'overwrite' => true,
+            ],
+            'Pragma'        => [
+                'value'     => 'no-cache',
+                'overwrite' => true,
+            ],
+        ],
+        'security::refresh-token'  => [
+            'Cache-Control' => [
+                'value'     => 'no-store',
+                'overwrite' => true,
+            ],
+            'Pragma'        => [
+                'value'     => 'no-cache',
+                'overwrite' => true,
+            ],
+        ],
     ],
 ];