headers->get('X-Request-Id', ''); if ($requestId !== '' && ! preg_match('/^[A-Za-z0-9._:-]{1,128}$/', $requestId)) { $response = response()->json(['message' => 'Invalid request id.'], 400); $this->applySecurityHeaders($request, $response); return $response; } /** @var Response $response */ $response = $next($request); $this->applySecurityHeaders($request, $response); if ($requestId !== '') { $response->headers->set('X-Request-Id', $requestId); } return $response; } private function applySecurityHeaders(Request $request, Response $response): void { $headers = $response->headers; $headers->set('X-Content-Type-Options', 'nosniff'); $headers->set('X-Frame-Options', 'DENY'); $headers->set('Referrer-Policy', 'strict-origin-when-cross-origin'); $headers->set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()'); if ($request->isSecure()) { $headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); } } }