From 99d6e002ad1f0a3889ccd5d75d4b1eaef7b3e356 Mon Sep 17 00:00:00 2001 From: alexmerlin Date: Tue, 2 Dec 2025 13:18:02 +0200 Subject: [PATCH] Issue #487: Added security headers Signed-off-by: alexmerlin --- config/autoload/response-header.global.php | 36 +++++++++++++++++----- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/config/autoload/response-header.global.php b/config/autoload/response-header.global.php index 2381758c..23a39201 100644 --- a/config/autoload/response-header.global.php +++ b/config/autoload/response-header.global.php @@ -8,20 +8,42 @@ * Global headers - applied to all routes */ '*' => [ - 'permissions-policy' => [ + 'permissions-policy' => [ 'value' => 'interest-cohort=()', 'overwrite' => true, ], + 'X-Content-Type-Options' => [ + 'value' => 'nosniff', + 'overwrite' => true, + ], + 'Referrer-Policy' => [ + 'value' => 'no-referrer', + 'overwrite' => true, + ], ], /** * Route-specific headers */ -// 'route-name' => [ -// 'header-name' => [ -// 'value' => 'header-value', -// 'overwrite' => true, -// ] -// ], + 'security::generate-token' => [ + 'Cache-Control' => [ + 'value' => 'no-store', + 'overwrite' => true, + ], + 'Pragma' => [ + 'value' => 'no-cache', + 'overwrite' => true, + ], + ], + 'security::refresh-token' => [ + 'Cache-Control' => [ + 'value' => 'no-store', + 'overwrite' => true, + ], + 'Pragma' => [ + 'value' => 'no-cache', + 'overwrite' => true, + ], + ], ], ];