michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
64a7051137091bbb04787f0934153ec7bf6867fe
michaelschiemer/src/Framework/Http/Middlewares/SecurityHeaderConfig.php

49 lines
2.6 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Framework\Http\Middlewares;
final readonly class SecurityHeaderConfig
{
public function __construct(
public string $hstsHeader = 'max-age=63072000; includeSubDomains; preload',
public string $frameOptions = 'DENY',
public string $referrerPolicy = 'strict-origin-when-cross-origin',
public string $contentSecurityPolicy = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; media-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'",
public string $permissionsPolicy = 'geolocation=(), microphone=(), camera=()',
public string $crossOriginEmbedderPolicy = 'require-corp',
public string $crossOriginOpenerPolicy = 'same-origin',
public string $crossOriginResourcePolicy = 'same-origin',
public bool $enableInDevelopment = false
) {}
/**
* Erstellt eine Konfiguration für Entwicklungsumgebung mit weniger restriktiven Einstellungen
*/
public static function forDevelopment(): self
{
return new self(
hstsHeader: 'max-age=3600', // Kürzere HSTS-Zeit für Development
frameOptions: 'SAMEORIGIN', // Weniger restriktiv für Development-Tools
contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self' https:; connect-src 'self' ws: wss:; media-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'self'; form-action 'self'; base-uri 'self'",
crossOriginEmbedderPolicy: 'unsafe-none',
crossOriginOpenerPolicy: 'unsafe-none',
crossOriginResourcePolicy: 'cross-origin',
enableInDevelopment: true
);
}
/**
* Erstellt eine Konfiguration für Produktionsumgebung mit maximaler Sicherheit
*/
public static function forProduction(): self
{
return new self(
hstsHeader: 'max-age=63072000; includeSubDomains; preload',
frameOptions: 'DENY',
contentSecurityPolicy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; media-src 'self'; object-src 'none'; child-src 'none'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; upgrade-insecure-requests",
permissionsPolicy: 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), speaker=()',
);
}
}
Reference in New Issue View Git Blame Copy Permalink