movie-night-nuevo/app/Http/Middleware/AddContentSecurityPolicy.php

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class AddContentSecurityPolicy
{
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next): Response
    {
        // Generate a random nonce for this request
        $nonce = base64_encode(random_bytes(16));

        // Store nonce in request attributes so Livewire can access it
        $request->attributes->set('csp-nonce', $nonce);

        // Get the response
        $response = $next($request);

        // Build CSP header
        if (app()->environment('local')) {
            // Relaxed CSP for local development with Vite
            $csp = "script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; " .
                   "style-src 'self' 'unsafe-inline' http: https:; " .
                   "connect-src 'self' ws: http: https:;";
        } else {
            // Strict CSP for production with nonces
            $scriptSrc = "'self' 'nonce-{$nonce}' https:";
            $styleSrc = "'self' 'unsafe-inline' https:";
            $connectSrc = "'self' https:";

            $csp = "script-src {$scriptSrc}; style-src {$styleSrc}; connect-src {$connectSrc};";
        }

        $response->headers->set('Content-Security-Policy', $csp);

        return $response;
    }
}
fixed nonce 2025-12-14 13:38:12 -06:00			`<?php`

			`namespace App\Http\Middleware;`

			`use Closure;`
			`use Illuminate\Http\Request;`
			`use Symfony\Component\HttpFoundation\Response;`

			`class AddContentSecurityPolicy`
			`{`
			`/**`
			`* Handle an incoming request.`
			`*`
			`* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next`
			`*/`
			`public function handle(Request $request, Closure $next): Response`
			`{`
			`// Generate a random nonce for this request`
			`$nonce = base64_encode(random_bytes(16));`

			`// Store nonce in request attributes so Livewire can access it`
			`$request->attributes->set('csp-nonce', $nonce);`

			`// Get the response`
			`$response = $next($request);`

			`// Build CSP header`
			`if (app()->environment('local')) {`
			`// Relaxed CSP for local development with Vite`
			`$csp = "script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; " .`
			`"style-src 'self' 'unsafe-inline' http: https:; " .`
			`"connect-src 'self' ws: http: https:;";`
			`} else {`
			`// Strict CSP for production with nonces`
			`$scriptSrc = "'self' 'nonce-{$nonce}' https:";`
			`$styleSrc = "'self' 'unsafe-inline' https:";`
			`$connectSrc = "'self' https:";`

			`$csp = "script-src {$scriptSrc}; style-src {$styleSrc}; connect-src {$connectSrc};";`
			`}`

			`$response->headers->set('Content-Security-Policy', $csp);`

			`return $response;`
			`}`
			`}`