movie-night-nuevo/app/Http/Middleware/AddContentSecurityPolicy.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class AddContentSecurityPolicy
{
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next): Response
    {
        $response = $next($request);

        // Build CSP header
        if (app()->environment('local')) {
            // Relaxed CSP for local development with Vite
            $csp = "script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; " .
                   "style-src 'self' 'unsafe-inline' http: https:; " .
                   "connect-src 'self' ws: http: https:;";
        } else {
            // Production CSP - Livewire v3 requires unsafe-eval
            $csp = "script-src 'self' 'unsafe-eval' https:; " .
                   "style-src 'self' 'unsafe-inline' https:; " .
                   "connect-src 'self' https:;";
        }

        $response->headers->set('Content-Security-Policy', $csp);

        return $response;
    }
}
fixed nonce 2025-12-14 13:38:12 -06:00			`<?php`

			`namespace App\Http\Middleware;`

			`use Closure;`
			`use Illuminate\Http\Request;`
			`use Symfony\Component\HttpFoundation\Response;`

			`class AddContentSecurityPolicy`
			`{`
			`/**`
			`* Handle an incoming request.`
			`*`
			`* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next`
			`*/`
			`public function handle(Request $request, Closure $next): Response`
			`{`
			`$response = $next($request);`

			`// Build CSP header`
			`if (app()->environment('local')) {`
			`// Relaxed CSP for local development with Vite`
			`$csp = "script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; " .`
			`"style-src 'self' 'unsafe-inline' http: https:; " .`
			`"connect-src 'self' ws: http: https:;";`
			`} else {`
undid nonce changes 2025-12-14 23:02:11 -06:00			`// Production CSP - Livewire v3 requires unsafe-eval`
			`$csp = "script-src 'self' 'unsafe-eval' https:; " .`
			`"style-src 'self' 'unsafe-inline' https:; " .`
			`"connect-src 'self' https:;";`
fixed nonce 2025-12-14 13:38:12 -06:00			`}`

			`$response->headers->set('Content-Security-Policy', $csp);`

			`return $response;`
			`}`
			`}`