headers->set('X-Content-Type-Options', 'nosniff'); $response->headers->set('X-Frame-Options', 'DENY'); $response->headers->set('X-XSS-Protection', '0'); $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin'); $response->headers->set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()'); if ($request->isSecure() || app()->environment('production')) { $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); } $csp = config('security.csp'); if ($csp) { $headerName = config('security.csp_report_only') ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy'; $response->headers->set($headerName, $csp); } return $response; } }