Skip to content

fix(security): add CSP and HTTP security headers#197

Merged
TheBSD merged 1 commit into
mainfrom
security-enhance
Jun 20, 2026
Merged

fix(security): add CSP and HTTP security headers#197
TheBSD merged 1 commit into
mainfrom
security-enhance

Conversation

@TheBSD

@TheBSD TheBSD commented Jun 20, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • New Features

    • Implemented comprehensive security headers across all HTTP responses to enhance protection against common web vulnerabilities
    • Published security contact information and disclosure policy at a standard endpoint
  • Improvements

    • Google Analytics tracking now conditionally loads only in production environments
  • Tests

    • Added feature tests to validate security headers and contact endpoint

@coderabbitai

coderabbitai Bot commented Jun 20, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 102a2023-8497-4796-a3d2-bd9fa40024bb

📥 Commits

Reviewing files that changed from the base of the PR and between f8a3be3 and e7792ee.

📒 Files selected for processing (7)
  • .ai/mcp/mcp.json
  • app/Http/Middleware/SecurityHeaders.php
  • bootstrap/app.php
  • public/.well-known/security.txt
  • resources/views/components/app-layout.blade.php
  • routes/web.php
  • tests/Feature/SecurityHeadersTest.php

Walkthrough

Adds a SecurityHeaders middleware that sets CSP, CORP, COOP, Permissions-Policy, Referrer-Policy, X-Content-Type-Options, X-Frame-Options, and production-only HSTS, registered in the web stack. Introduces a /.well-known/security.txt route serving a static contact/expiry file. Guards the analytics partial behind a production+config check. Adds a local MCP dev tool config.

Changes

Security Hardening

Layer / File(s) Summary
SecurityHeaders middleware implementation and registration
app/Http/Middleware/SecurityHeaders.php, bootstrap/app.php, tests/Feature/SecurityHeadersTest.php
New SecurityHeaders middleware sets CSP (built by contentSecurityPolicy()), CORP, COOP, Permissions-Policy, Referrer-Policy, X-Content-Type-Options, X-Frame-Options, and conditional HSTS. Registered in the web middleware stack. Feature test asserts header presence and values on GET /.
security.txt static file and route
public/.well-known/security.txt, routes/web.php, tests/Feature/SecurityHeadersTest.php
Adds a security.txt with Contact, Expires, Canonical, and Preferred-Languages fields. A new GET /.well-known/security.txt route reads the file and responds with text/plain; charset=UTF-8. Feature test asserts HTTP 200, Contact line content, and Content-Type.
Analytics partial production guard
resources/views/components/app-layout.blade.php
Replaces the unconditional @include('partials.analytics') with a guard requiring both a configured Analytics ID and production environment.

Local MCP Dev Tool Config

Layer / File(s) Summary
MCP server config entry
.ai/mcp/mcp.json
Adds a laravel-boost MCP server entry pointing to a local PHP 8.3 binary and artisan boost:mcp command.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security-enhance

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@TheBSD TheBSD merged commit 20e2edd into main Jun 20, 2026
1 check was pending
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant