profile($request, $handler); // Standard security headers $response = $response->withHeader('X-Content-Type-Options', 'nosniff') ->withHeader('X-Frame-Options', 'SAMEORIGIN') ->withHeader('X-XSS-Protection', '1; mode=block') ->withHeader('Referrer-Policy', 'no-referrer-when-downgrade') ->withHeader('Content-Security-Policy', $this->config->get('security.csp', "default-src 'self'")); if ($this->config->get('security.hsts', true)) { $response = $response->withHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); } return $response; } }