attributes->set('csp-nonce', $nonce); // Get the response $response = $next($request); // Build CSP header if (app()->environment('local')) { // Relaxed CSP for local development with Vite $csp = "script-src 'self' 'unsafe-inline' 'unsafe-eval' http: https:; " . "style-src 'self' 'unsafe-inline' http: https:; " . "connect-src 'self' ws: http: https:;"; } else { // Strict CSP for production with nonces $scriptSrc = "'self' 'nonce-{$nonce}' https:"; $styleSrc = "'self' 'unsafe-inline' https:"; $connectSrc = "'self' https:"; $csp = "script-src {$scriptSrc}; style-src {$styleSrc}; connect-src {$connectSrc};"; } $response->headers->set('Content-Security-Policy', $csp); return $response; } }