From 9766c534bddad8e82e6d19f9bad5cf70b9887f9a Mon Sep 17 00:00:00 2001 From: Roman Kelesidis Date: Wed, 19 Mar 2025 01:05:15 +0700 Subject: [PATCH] feat: Added secure headers configuring (#1856) * feat: Added secure headers configuring * Update config.secure-headers.php --- common.php | 5 +- composer.json | 1 + composer.lock | 85 ++- library/config.secure-headers.php | 845 ++++++++++++++++++++++++++++++ 4 files changed, 932 insertions(+), 4 deletions(-) create mode 100644 library/config.secure-headers.php diff --git a/common.php b/common.php index a455a7de2..11e1ee775 100644 --- a/common.php +++ b/common.php @@ -38,7 +38,6 @@ if (!defined('BB_SCRIPT')) { define('BB_SCRIPT', null); } -header('X-Frame-Options: SAMEORIGIN'); date_default_timezone_set('UTC'); // Set remote address @@ -106,6 +105,10 @@ define('FORUM_PATH', $bb_cfg['script_path']); define('FULL_URL', $server_protocol . $bb_cfg['server_name'] . $server_port . $bb_cfg['script_path']); unset($server_protocol, $server_port); +// Secure headers +$secureHeaders = \Bepsvpt\SecureHeaders\SecureHeaders::fromFile(BB_PATH . '/library/config.secure-headers.php'); +$secureHeaders->send(); + /** * Database */ diff --git a/composer.json b/composer.json index 82f829c9b..2577aa073 100644 --- a/composer.json +++ b/composer.json @@ -56,6 +56,7 @@ "belomaxorka/captcha": "1.*", "egulias/email-validator": "^4.0.1", "filp/whoops": "^2.15", + "bepsvpt/secure-headers": "9.*", "z4kn4fein/php-semver": "^v3.0.0", "nemorize/indexnow": "^0.0.1", "gigablah/sphinxphp": "2.0.8", diff --git a/composer.lock b/composer.lock index 3012c3903..750030512 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "c1e345a7abe58feb13d951acfd499e95", + "content-hash": "098530029429a81a4a25a5d7276584c4", "packages": [ { "name": "arokettu/bencode", @@ -470,6 +470,85 @@ }, "time": "2025-03-10T13:15:53+00:00" }, + { + "name": "bepsvpt/secure-headers", + "version": "9.0.0", + "source": { + "type": "git", + "url": "https://github.com/bepsvpt/secure-headers.git", + "reference": "7efbc3d8b988051b5ff81c4cacd1d12e875528ed" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/bepsvpt/secure-headers/zipball/7efbc3d8b988051b5ff81c4cacd1d12e875528ed", + "reference": "7efbc3d8b988051b5ff81c4cacd1d12e875528ed", + "shasum": "" + }, + "require": { + "ext-json": "*", + "php": "^7.1 || ^8.0" + }, + "require-dev": { + "ergebnis/composer-normalize": "^2.42", + "ext-xdebug": "*", + "laravel/pint": "^1.14", + "orchestra/testbench": "^3.1 || ^4.18 || ^5.20 || ^6.43 || ^7.41 || ^8.22 || ^9.0", + "phpstan/phpstan": "^1.10", + "phpunit/phpunit": "^5.7 || ^6.5 || ^7.5 || ^8.5 || ^9.6 || ^10.5" + }, + "type": "library", + "extra": { + "laravel": { + "providers": [ + "Bepsvpt\\SecureHeaders\\SecureHeadersServiceProvider" + ] + } + }, + "autoload": { + "files": [ + "src/helpers.php" + ], + "psr-4": { + "Bepsvpt\\SecureHeaders\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "bepsvpt", + "email": "6ibrl@cpp.tw" + } + ], + "description": "Add security related headers to HTTP response. The package includes Service Providers for easy Laravel integration.", + "homepage": "https://github.com/bepsvpt/secure-headers", + "keywords": [ + "clear-site-data", + "content-security-policy", + "csp", + "except-ct", + "feature-policy", + "header", + "hsts", + "https", + "laravel", + "permissions-policy", + "referrer-policy" + ], + "support": { + "issues": "https://github.com/bepsvpt/secure-headers/issues", + "source": "https://github.com/bepsvpt/secure-headers/tree/9.0.0" + }, + "funding": [ + { + "url": "https://opencollective.com/secure-headers", + "type": "open_collective" + } + ], + "time": "2025-01-18T07:18:04+00:00" + }, { "name": "bugsnag/bugsnag", "version": "v3.29.3", @@ -3854,6 +3933,6 @@ "platform": { "php": "^8.1 | ^8.2 | ^8.3 | ^8.4" }, - "platform-dev": [], - "plugin-api-version": "2.3.0" + "platform-dev": {}, + "plugin-api-version": "2.6.0" } diff --git a/library/config.secure-headers.php b/library/config.secure-headers.php new file mode 100644 index 000000000..d5271e3e2 --- /dev/null +++ b/library/config.secure-headers.php @@ -0,0 +1,845 @@ + '', + + /** + * X-Content-Type-Options + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + * + * Available Value: 'nosniff' + */ + 'x-content-type-options' => 'nosniff', + + /** + * X-DNS-Prefetch-Control + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control + * + * Available Value: 'on', 'off' + */ + 'x-dns-prefetch-control' => '', + + /** + * X-Download-Options + * + * @see https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx + * + * Available Value: 'noopen' + */ + 'x-download-options' => 'noopen', + + /** + * X-Frame-Options + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + * @deprecated The X-Frame-Options is no longer recommended for use; please use Content-Security-Policy (CSP) instead. + * + * Available Value: 'deny', 'sameorigin', 'allow-from ' + */ + 'x-frame-options' => 'sameorigin', + + /** + * X-Permitted-Cross-Domain-Policies + * + * @see https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html + * + * Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename' + */ + 'x-permitted-cross-domain-policies' => 'none', + + /** + * X-Powered-By + * + * Note: it will not add to response header if the value is empty string. + * + * Also, verify that expose_php is turned Off in php.ini. + * Otherwise, the header will still be included in the response. + * + * @see https://github.com/bepsvpt/secure-headers/issues/58#issuecomment-782332442 + */ + 'x-powered-by' => '', + + /** + * X-XSS-Protection + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + * @deprecated The X-XSS-Protection is no longer recommended for use; please use Content-Security-Policy (CSP) instead. + * + * Available Value: '1', '0', '1; mode=block' + */ + 'x-xss-protection' => '', + + /** + * Referrer-Policy + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy + * + * Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', + * 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url' + */ + 'referrer-policy' => 'no-referrer', + + /** + * Cross-Origin-Embedder-Policy + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy + * + * Available Value: 'unsafe-none', 'require-corp', 'credentialless' + */ + 'cross-origin-embedder-policy' => 'unsafe-none', + + /** + * Cross-Origin-Opener-Policy + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy + * + * Available Value: 'unsafe-none', 'same-origin-allow-popups', 'same-origin' + */ + 'cross-origin-opener-policy' => 'unsafe-none', + + /** + * Cross-Origin-Resource-Policy + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy + * + * Available Value: 'same-site', 'same-origin', 'cross-origin' + */ + 'cross-origin-resource-policy' => 'cross-origin', + + /** + * Clear-Site-Data + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data + */ + 'clear-site-data' => [ + 'enable' => false, + + 'all' => false, + + 'cache' => true, + + 'clientHints' => true, + + 'cookies' => true, + + 'storage' => true, + + 'executionContexts' => true, + ], + + /** + * HTTP Strict Transport Security + * + * @see https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security + * + * Note: Please ensure your website had set up ssl/tls before enable hsts. + */ + 'hsts' => [ + 'enable' => false, + + 'max-age' => 31536000, + + 'include-sub-domains' => false, + + 'preload' => false, + ], + + /** + * Reporting Endpoints + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints + * + * Note: The array key is the endpoint name, and the value is the URL. + */ + 'reporting' => [ + // 'csp' => 'https://example.com/csp-reports', + // 'nel' => 'https://example.com/nel-reports', + ], + + /** + * Network Error Logging + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Network_Error_Logging + * @see https://developer.mozilla.org/en-US/docs/Web/API/Reporting_API + */ + 'nel' => [ + 'enable' => false, + + // The name of reporting API, not the endpoint URL. + 'report-to' => '', + + 'max-age' => 86400, + + 'include-subdomains' => false, + + 'success-fraction' => 0.0, + + 'failure-fraction' => 1.0, + ], + + /** + * Expect-CT + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT + * @deprecated This feature is no longer recommended. + */ + 'expect-ct' => [ + 'enable' => false, + + 'max-age' => 2147483648, + + 'enforce' => false, + + // report uri must be absolute-URI + 'report-uri' => null, + ], + + /** + * Permissions Policy + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy + */ + 'permissions-policy' => [ + 'enable' => true, + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer + 'accelerometer' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor + 'ambient-light-sensor' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/attribution-reporting + 'attribution-reporting' => [ + 'none' => false, + + '*' => true, + + 'self' => false, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay + 'autoplay' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/bluetooth + 'bluetooth' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics + 'browsing-topics' => [ + 'none' => false, + + '*' => true, + + 'self' => false, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera + 'camera' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure + 'compute-pressure' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure + 'cross-origin-isolated' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture + 'display-capture' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain + 'document-domain' => [ + 'none' => false, + + '*' => true, + + 'self' => false, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media + 'encrypted-media' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen + 'fullscreen' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad + 'gamepad' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation + 'geolocation' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope + 'gyroscope' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid + 'hid' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get + 'identity-credentials-get' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection + 'idle-detection' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/local-fonts + 'local-fonts' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer + 'magnetometer' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone + 'microphone' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi + 'midi' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/otp-credentials + 'otp-credentials' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment + 'payment' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture + 'picture-in-picture' => [ + 'none' => false, + + '*' => true, + + 'self' => false, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create + 'publickey-credentials-create' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get + 'publickey-credentials-get' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock + 'screen-wake-lock' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial + 'serial' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection + 'speaker-selection' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access + 'storage-access' => [ + 'none' => false, + + '*' => true, + + 'self' => false, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb + 'usb' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share + 'web-share' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management + 'window-management' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking + 'xr-spatial-tracking' => [ + 'none' => false, + + '*' => false, + + 'self' => true, + + 'origins' => [], + ], + ], + + /** + * Content Security Policy + * + * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + */ + 'csp' => [ + 'enable' => true, + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only + 'report-only' => false, + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to + 'report-to' => '', + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri + 'report-uri' => [ + // uri + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content + 'block-all-mixed-content' => false, + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests + 'upgrade-insecure-requests' => false, + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri + 'base-uri' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src + 'child-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src + 'connect-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src + 'default-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src + 'fenced-frame-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src + 'font-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action + 'form-action' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors + 'frame-ancestors' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src + 'frame-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src + 'img-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src + 'manifest-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src + 'media-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src + 'object-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src + 'prefetch-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for + 'require-trusted-types-for' => [ + 'script' => false, + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox + 'sandbox' => [ + 'enable' => false, + + 'allow-downloads' => false, + + 'allow-forms' => false, + + 'allow-modals' => false, + + 'allow-orientation-lock' => false, + + 'allow-pointer-lock' => false, + + 'allow-popups' => false, + + 'allow-popups-to-escape-sandbox' => false, + + 'allow-presentation' => false, + + 'allow-same-origin' => false, + + 'allow-scripts' => false, + + 'allow-storage-access-by-user-activation' => false, + + 'allow-top-navigation' => false, + + 'allow-top-navigation-by-user-activation' => false, + + 'allow-top-navigation-to-custom-protocols' => false, + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src + 'script-src' => [ + 'none' => false, + + 'self' => false, + + 'report-sample' => false, + + 'allow' => [ + // 'url', + ], + + 'schemes' => [ + // 'data:', + // 'https:', + ], + + /* followings are only work for `script` and `style` related directives */ + + 'unsafe-inline' => false, + + 'unsafe-eval' => false, + + // https://www.w3.org/TR/CSP3/#unsafe-hashes-usage + 'unsafe-hashes' => false, + + // Enable `strict-dynamic` will *ignore* `self`, `unsafe-inline`, + // `allow` and `schemes`. You can find more information from: + // https://www.w3.org/TR/CSP3/#strict-dynamic-usage + 'strict-dynamic' => false, + + 'hashes' => [ + 'sha256' => [ + // 'sha256-hash-value-with-base64-encode', + ], + + 'sha384' => [ + // 'sha384-hash-value-with-base64-encode', + ], + + 'sha512' => [ + // 'sha512-hash-value-with-base64-encode', + ], + ], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr + 'script-src-attr' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem + 'script-src-elem' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src + 'style-src' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr + 'style-src-attr' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem + 'style-src-elem' => [ + // + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types + 'trusted-types' => [ + 'enable' => false, + + 'none' => false, + + 'allow-duplicates' => false, + + 'policies' => [ + // + ], + ], + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src + 'worker-src' => [ + // + ], + ], +];