chore: complete update

2025-07-17 16:24:20 +02:00
parent 899227b0a4
commit 64a7051137
1300 changed files with 85570 additions and 2756 deletions
--- a/src/Framework/Http/Middlewares/SecurityHeaderConfig.php
+++ b/src/Framework/Http/Middlewares/SecurityHeaderConfig.php
@@ -0,0 +1,48 @@
+<?php
+declare(strict_types=1);
+
+namespace App\Framework\Http\Middlewares;
+
+final readonly class SecurityHeaderConfig
+{
+    public function __construct(
+        public string $hstsHeader = 'max-age=63072000; includeSubDomains; preload',
+        public string $frameOptions = 'DENY',
+        public string $referrerPolicy = 'strict-origin-when-cross-origin',
+        public string $contentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; media-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'",
+        public string $permissionsPolicy = 'geolocation=(), microphone=(), camera=()',
+        public string $crossOriginEmbedderPolicy = 'require-corp',
+        public string $crossOriginOpenerPolicy = 'same-origin',
+        public string $crossOriginResourcePolicy = 'same-origin',
+        public bool $enableInDevelopment = false
+    ) {}
+
+    /**
+     * Erstellt eine Konfiguration für Entwicklungsumgebung mit weniger restriktiven Einstellungen
+     */
+    public static function forDevelopment(): self
+    {
+        return new self(
+            hstsHeader: 'max-age=3600', // Kürzere HSTS-Zeit für Development
+            frameOptions: 'SAMEORIGIN',  // Weniger restriktiv für Development-Tools
+            contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self' https:; connect-src 'self' ws: wss:; media-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'",
+            crossOriginEmbedderPolicy: 'unsafe-none',
+            crossOriginOpenerPolicy: 'unsafe-none',
+            crossOriginResourcePolicy: 'cross-origin',
+            enableInDevelopment: true
+        );
+    }
+
+    /**
+     * Erstellt eine Konfiguration für Produktionsumgebung mit maximaler Sicherheit
+     */
+    public static function forProduction(): self
+    {
+        return new self(
+            hstsHeader: 'max-age=63072000; includeSubDomains; preload',
+            frameOptions: 'DENY',
+            contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; media-src 'self'; object-src 'none'; child-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; upgrade-insecure-requests",
+            permissionsPolicy: 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), speaker=()',
+        );
+    }
+}