Feature/add security header (#319)

Author: mckenziearts

app/Http/Controllers/User/DashboardController.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Symfony\Component\HttpFoundation\Response;
+
+final class CacheHeaders
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /**
+         * @var \Illuminate\Http\Response $response
+         */
+        $response = $next($request);
+
+        if (Auth::check()) {
+            $response->setCache(
+                options: [
+                    'private' => true,
+                    'max_age' => 0,
+                    's_maxage' => 0,
+                    'no_store' => true,
+                ],
+            );
+        } else {
+            $response->setCache(
+                options: [
+                    'public' => true,
+                    'max_age' => 60,
+                    's_maxage' => 60,
+                ],
+            );
+
+            foreach ($response->headers->getCookies() as $cookie) {
+                $response->headers->removeCookie(
+                    name: $cookie->getName(),
+                );
+            }
+        }
+
+        return $response;
+    }
+}

app/Http/Middleware/CacheHeaders.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware\Security;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class ContentSecurityPolicy
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /**
+         * @var Response $response
+         */
+        $response = $next($request);
+
+        $response->headers->add([
+            'Content-Security-Policy' => "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src *;",
+        ]);
+
+        return $response;
+    }
+}

app/Http/Middleware/Security/ContentSecurityPolicy.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware\Security;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class PermissionsPolicy
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /**
+         * @var Response $response
+         */
+        $response = $next($request);
+
+        $response->headers->add([
+            'Permissions-Policy' => 'geolocation=(self), microphone=()',
+        ]);
+
+        return $response;
+    }
+}

app/Http/Middleware/Security/PermissionsPolicy.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware\Security;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class ReferrerPolicy
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /**
+         * @var Response $response
+         */
+        $response = $next($request);
+
+        $response->headers->add([
+            'Referrer-Policy' => 'no-referrer',
+        ]);
+
+        return $response;
+    }
+}

app/Http/Middleware/Security/ReferrerPolicy.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware\Security;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class StrictTransportSecurity
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /**
+         * @var Response $response
+         */
+        $response = $next($request);
+
+        $response->headers->add([
+            'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload',
+        ]);
+
+        return $response;
+    }
+}

app/Http/Middleware/Security/StrictTransportSecurity.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware\Security;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class XFrameOption
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /**
+         * @var Response $response
+         */
+        $response = $next($request);
+
+        $response->headers->add([
+            'X-Frame-Options' => 'deny',
+        ]);
+
+        return $response;
+    }
+}

app/Http/Middleware/Security/XFrameOption.php

@@ -75,7 +75,7 @@ public function comments(): Collection
         $replies = collect();
 
         // @phpstan-ignore-next-line
-        foreach ($this->discussion->replies->load(['allChildReplies', 'user']) as $reply) {
+        foreach ($this->discussion->replies->load(['allChildReplies', 'user', 'user.media']) as $reply) {
             /** @var Reply $reply */
             if ($reply->allChildReplies->isNotEmpty()) {
                 foreach ($reply->allChildReplies as $childReply) {

app/Http/Middleware/TrackLastActivity.php

@@ -29,7 +29,7 @@ final class Articles extends Component implements HasActions, HasForms
     #[Computed]
     public function articles(): LengthAwarePaginator
     {
-        return Article::with(['user', 'tags', 'reactions'])
+        return Article::with('tags', 'reactions')
             ->where('user_id', Auth::id())
             ->latest()
             ->paginate(10);