Phred/src/Http/Middleware/Security/SecureHeadersMiddleware.php

<?php
declare(strict_types=1);

namespace Phred\Http\Middleware\Security;

use Phred\Http\Middleware\Middleware;
use Phred\Support\Contracts\ConfigInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;

/**
 * Middleware to add common security headers to the response.
 */
final class SecureHeadersMiddleware extends Middleware
{
    public function __construct(
        private readonly ConfigInterface $config
    ) {}

    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $response = $handler->handle($request);

        // Standard security headers
        $response = $response->withHeader('X-Content-Type-Options', 'nosniff')
            ->withHeader('X-Frame-Options', 'SAMEORIGIN')
            ->withHeader('X-XSS-Protection', '1; mode=block')
            ->withHeader('Referrer-Policy', 'no-referrer-when-downgrade')
            ->withHeader('Content-Security-Policy', $this->config->get('security.csp', "default-src 'self'"));

        if ($this->config->get('security.hsts', true)) {
            $response = $response->withHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
        }

        return $response;
    }
}
feat: implement M9 & M10 (CLI, Scaffolding, Security, JWT) and standardize middleware - Implement full suite of 'phred' CLI generators and utility commands (M9). - Refactor scaffolding logic to use external stubs in 'src/stubs'. - Add security hardening via SecureHeaders, Csrf, and CORS middleware (M10). - Implement JWT token issuance and validation service with lcobucci/jwt. - Integrate 'getphred/flagpole' for feature flag support. - Introduce abstract 'Middleware' base class for standardized PSR-15 implementation. - Add robust driver validation to OrmServiceProvider. - Fix JwtTokenService claims access and validation constraints. - Update MILESTONES.md status. 2025-12-22 21:52:41 +00:00			`<?php`
			`declare(strict_types=1);`

			`namespace Phred\Http\Middleware\Security;`

			`use Phred\Http\Middleware\Middleware;`
			`use Phred\Support\Contracts\ConfigInterface;`
			`use Psr\Http\Message\ResponseInterface;`
			`use Psr\Http\Message\ServerRequestInterface;`
			`use Psr\Http\Server\RequestHandlerInterface;`

			`/**`
			`* Middleware to add common security headers to the response.`
			`*/`
			`final class SecureHeadersMiddleware extends Middleware`
			`{`
			`public function __construct(`
			`private readonly ConfigInterface $config`
			`) {}`

			`public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface`
			`{`
			`$response = $handler->handle($request);`

			`// Standard security headers`
			`$response = $response->withHeader('X-Content-Type-Options', 'nosniff')`
			`->withHeader('X-Frame-Options', 'SAMEORIGIN')`
			`->withHeader('X-XSS-Protection', '1; mode=block')`
			`->withHeader('Referrer-Policy', 'no-referrer-when-downgrade')`
			`->withHeader('Content-Security-Policy', $this->config->get('security.csp', "default-src 'self'"));`

			`if ($this->config->get('security.hsts', true)) {`
			`$response = $response->withHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');`
			`}`

			`return $response;`
			`}`
			`}`