src/EventSubscriber/SecurityHeadersSubscriber.php line 17

Open in your IDE?
  1. <?php
  3. namespace App\EventSubscriber;
  5. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  6. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  8. class SecurityHeadersSubscriber implements EventSubscriberInterface
  9. {
  10.     public static function getSubscribedEvents(): array
  11.     {
  12.         return [
  13.             ResponseEvent::class => 'onResponse',
  14.         ];
  15.     }
  17.     public function onResponse(ResponseEvent $event): void
  18.     {
  19.         if (!$event->isMainRequest()) {
  20.             return;
  21.         }
  23.         $response $event->getResponse();
  24.         $csp "default-src 'self'; img-src 'self' data: https://*.stripe.com; "
  25.             "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "
  26.             "script-src 'self' 'unsafe-inline' https://js.stripe.com; "
  27.             "font-src 'self' data: https://fonts.gstatic.com; "
  28.             "connect-src 'self' https://api.stripe.com; "
  29.             "frame-src https://js.stripe.com https://checkout.stripe.com https://*.stripe.com; "
  30.             "frame-ancestors 'none'; base-uri 'self'";
  32.         if (!$response->headers->has('Content-Security-Policy')) {
  33.             $response->headers->set('Content-Security-Policy'$csp);
  34.         }
  35.         $response->headers->set('Referrer-Policy''strict-origin-when-cross-origin');
  36.         $response->headers->set('X-Content-Type-Options''nosniff');
  37.         $response->headers->set('X-Frame-Options''DENY');
  38.         $response->headers->set('Permissions-Policy''geolocation=(self), microphone=(), camera=(), payment=(), fullscreen=()');
  39.     }
  40. }