From fd37c9d60ea818dc9a562fa88ff5f9a50132506f Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Sat, 27 Oct 2018 11:11:37 +0100
Subject: Added additional headers

---
 config/app.php            |  1 +
 config/config.default.php | 13 +++++++++++++
 2 files changed, 14 insertions(+)

(limited to 'config')

diff --git a/config/app.php b/config/app.php
index 77b1e874..7ba3509e 100644
--- a/config/app.php
+++ b/config/app.php
@@ -37,6 +37,7 @@ return [
 
         // Changes of request/response parameters
         \Engelsystem\Middleware\SetLocale::class,
+        \Engelsystem\Middleware\AddHeaders::class,
 
         // The application code
         \Engelsystem\Middleware\ErrorHandler::class,
diff --git a/config/config.default.php b/config/config.default.php
index 879aa836..4ba6cdc1 100644
--- a/config/config.default.php
+++ b/config/config.default.php
@@ -150,4 +150,17 @@ return [
 
     // IP addresses of reverse proxies that are trusted, can be an array or a comma separated list
     'trusted_proxies'         => env('TRUSTED_PROXIES', ['127.0.0.0/8', '::ffff:127.0.0.0/8', '::1/128']),
+
+    // Add additional headers
+    'add_headers'             => (bool)env('ADD_HEADERS', true),
+    'headers'                 => [
+        'X-Content-Type-Options'  => 'nosniff',
+        'X-Frame-Options'         => 'sameorigin',
+        'Referrer-Policy'         => 'strict-origin-when-cross-origin',
+        'Content-Security-Policy' => 'default-src \'self\' \'unsafe-inline\' \'unsafe-eval\'',
+        'X-XSS-Protection'        => '1; mode=block',
+        'Feature-Policy'          => 'autoplay \'none\'',
+        //'Strict-Transport-Security' => 'max-age=7776000',
+        //'Expect-CT' => 'max-age=7776000,enforce,report-uri="[uri]"',
+    ],
 ];
-- 
cgit v1.2.3-54-g00ecf