headers->remove('X-Powered-By'); $response->headers->remove('Server'); // Content Security Policy — erlaubt CDN-Quellen für Tailwind, Alpine, Quill, Leaflet // 'unsafe-inline' benötigt von: Tailwind CDN (inline Styles), Alpine.js (Event-Handler) // 'unsafe-eval' benötigt von: Tailwind CDN (JIT nutzt new Function()) // Entfernung nur möglich durch Wechsel auf self-hosted/kompilierte Assets $cspDirectives = [ "default-src 'self'", "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.tailwindcss.com https://cdn.jsdelivr.net https://unpkg.com https://cdn.quilljs.com", "style-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdn.jsdelivr.net https://unpkg.com https://cdn.quilljs.com", "img-src 'self' data: https://*.tile.openstreetmap.org https://unpkg.com", "font-src 'self' https://cdn.jsdelivr.net https://cdn.quilljs.com", "connect-src 'self' https://photon.komoot.io", "frame-src 'self'", "object-src 'none'", "base-uri 'self'", "form-action 'self'", ]; // upgrade-insecure-requests nur bei HTTPS — bricht sonst lokale HTTP-Entwicklung (Herd/artisan serve) if ($request->secure()) { $cspDirectives[] = "upgrade-insecure-requests"; } $csp = implode('; ', $cspDirectives); $response->headers->set('Content-Security-Policy', $csp); $response->headers->set('X-Content-Type-Options', 'nosniff'); $response->headers->set('X-Frame-Options', 'SAMEORIGIN'); $response->headers->set('X-XSS-Protection', '1; mode=block'); $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin'); $response->headers->set('Permissions-Policy', 'camera=(), microphone=(), geolocation=(self), payment=(), usb=(), bluetooth=(), autoplay=(), magnetometer=(), gyroscope=(), accelerometer=()'); // Cross-Origin Isolation Headers $response->headers->set('Cross-Origin-Opener-Policy', 'same-origin-allow-popups'); // HSTS — HTTPS fuer 1 Jahr erzwingen (nur bei HTTPS-Requests aktiv) if ($request->secure()) { $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); } return $response; } }