src/EventSubscriber/HttpHeadersSubscriber.php line 29

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace App\EventSubscriber;
  7. use App\Environment;
  8. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  9. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  10. use Symfony\Component\HttpKernel\KernelEvents;
  12. final class HttpHeadersSubscriber implements EventSubscriberInterface
  13. {
  14.     /** @var string */
  15.     private const XSS "1; mode=block";
  17.     /** @var string */
  18.     private const CSP "default-src 'self' 'unsafe-inline' https://fonts.gstatic.com https://cdnjs.cloudflare.com https://fonts.googleapis.com data: 'self' 'unsafe-inline' blob: 'self'";
  20.     /** @var string */
  21.     private const HSTS "max-age=31536000";
  23.     /** @var string */
  24.     private const FRAME "deny";
  26.     /** @var string */
  27.     private const CONTENT_OPT "nosniff";
  29.     public function onKernelResponse(ResponseEvent $event)
  30.     {
  31.         $event->getResponse()->headers->set('X-XSS-Protection'self::XSS);
  32.         $event->getResponse()->headers->set('Content-Security-Policy'self::CSP);
  33.         $event->getResponse()->headers->set('X-Frame-Options'self::FRAME);
  34.         $event->getResponse()->headers->set('X-Content-Type-Options'self::CONTENT_OPT);
  36.         if (!Environment::isProduction()) {
  37.             return;
  38.         }
  40.         $event->getResponse()->headers->set('Strict-Transport-Security'self::HSTS);
  41.     }
  43.     public static function getSubscribedEvents()
  44.     {
  45.         return [
  46.             KernelEvents::RESPONSE => 'onKernelResponse',
  47.         ];
  48.     }
  49. }