<?php
declare(strict_types=1);
namespace App\EventSubscriber;
use App\Environment;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
final class HttpHeadersSubscriber implements EventSubscriberInterface
{
/** @var string */
private const XSS = "1; mode=block";
/** @var string */
private const CSP = "default-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://cdnjs.cloudflare.com https://fonts.googleapis.com data: 'self' 'unsafe-inline' blob: 'self'";
/** @var string */
private const HSTS = "max-age=31536000";
/** @var string */
private const FRAME = "deny";
/** @var string */
private const CONTENT_OPT = "nosniff";
public function onKernelResponse(ResponseEvent $event)
{
$event->getResponse()->headers->set('X-XSS-Protection', self::XSS);
$event->getResponse()->headers->set('Content-Security-Policy', self::CSP);
$event->getResponse()->headers->set('X-Frame-Options', self::FRAME);
$event->getResponse()->headers->set('X-Content-Type-Options', self::CONTENT_OPT);
if (!Environment::isProduction()) {
return;
}
$event->getResponse()->headers->set('Strict-Transport-Security', self::HSTS);
}
public static function getSubscribedEvents()
{
return [
KernelEvents::RESPONSE => 'onKernelResponse',
];
}
}