. */ declare(strict_types=1); namespace FireflyIII\Http\Middleware; use Auth; use Closure; use Illuminate\Http\Request; /** * * Class SecureHeaders */ class SecureHeaders { /** * Handle an incoming request. May not be a limited user (ie. Sandstorm env. or demo user). * * @param \Illuminate\Http\Request $request * @param \Closure $next * @param string|null $guard * * @return mixed */ public function handle(Request $request, Closure $next) { $response = $next($request); $response->header('X-Frame-Options', 'deny'); $response->header('Content-Security-Policy', "default-src 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.google-analytics.com/analytics.js; style-src 'self' 'unsafe-inline';base-uri 'self';form-action 'self';font-src 'self';connect-src 'self';img-src 'self'"); return $response; } }