From eb9ed70be271ecee342ad66ff22d78b316179969 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:39:55 +0000 Subject: [PATCH 1/2] chore(deps): bump bepsvpt/secure-headers from 7.5.0 to 9.1.0 Bumps [bepsvpt/secure-headers](https://github.com/bepsvpt/secure-headers) from 7.5.0 to 9.1.0. - [Changelog](https://github.com/bepsvpt/secure-headers/blob/main/CHANGELOG.md) - [Upgrade guide](https://github.com/bepsvpt/secure-headers/blob/main/UPGRADE.md) - [Commits](https://github.com/bepsvpt/secure-headers/compare/7.5.0...9.1.0) --- updated-dependencies: - dependency-name: bepsvpt/secure-headers dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- composer.json | 2 +- composer.lock | 34 +++++++++++++++++++--------------- 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/composer.json b/composer.json index 38fdec2..1f020f4 100644 --- a/composer.json +++ b/composer.json @@ -9,7 +9,7 @@ "require": { "php": "^8.2", "ext-curl": "*", - "bepsvpt/secure-headers": "^7.5", + "bepsvpt/secure-headers": "^9.1", "cviebrock/eloquent-sluggable": "^11.0", "fivefilters/readability.php": "^3.2", "guzzlehttp/guzzle": "^7.9", diff --git a/composer.lock b/composer.lock index 6796c38..ff4e008 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "9527dbc94e657216dd71652875cf402a", + "content-hash": "f7db15237c62a53ec0df6bfcaa4eb47e", "packages": [ { "name": "bacon/bacon-qr-code", @@ -62,29 +62,32 @@ }, { "name": "bepsvpt/secure-headers", - "version": "7.5.0", + "version": "9.1.0", "source": { "type": "git", "url": "https://github.com/bepsvpt/secure-headers.git", - "reference": "946c4050bae960ccc50579dd2d24a2ca3cb7cdf9" + "reference": "92499bf1df63a9b63ad3e1b49d4b4146ad367f0d" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/bepsvpt/secure-headers/zipball/946c4050bae960ccc50579dd2d24a2ca3cb7cdf9", - "reference": "946c4050bae960ccc50579dd2d24a2ca3cb7cdf9", + "url": "https://api.github.com/repos/bepsvpt/secure-headers/zipball/92499bf1df63a9b63ad3e1b49d4b4146ad367f0d", + "reference": "92499bf1df63a9b63ad3e1b49d4b4146ad367f0d", "shasum": "" }, "require": { - "php": "^7.0 || ^8.0" + "ext-json": "*", + "php": "^7.1 || ^8.0" }, "require-dev": { - "ergebnis/composer-normalize": "^2.42", - "ext-json": "*", + "ergebnis/composer-normalize": "^2.48", "ext-xdebug": "*", - "laravel/pint": "^1.14", - "orchestra/testbench": "^3.1 || ^4.18 || ^5.20 || ^6.43 || ^7.41 || ^8.22 || ^9.0", - "phpstan/phpstan": "^1.10", - "phpunit/phpunit": "^5.7 || ^6.5 || ^7.5 || ^8.5 || ^9.6 || ^10.5" + "laravel/pint": "^1.25", + "orchestra/testbench": "^3.1 || ^4.18 || ^5.20 || ^6.47 || ^7.55 || ^8.36 || ^9.15 || ^10.6 || ^11.0", + "phpstan/extension-installer": "^1.4", + "phpstan/phpstan": "^2.1", + "phpstan/phpstan-deprecation-rules": "^2.0", + "phpstan/phpstan-phpunit": "^2.0", + "phpunit/phpunit": "^5.7 || ^6.5 || ^7.5 || ^8.5 || ^9.6 || ^10.5 || ^11.5 || ^12.4" }, "type": "library", "extra": { @@ -109,7 +112,7 @@ "authors": [ { "name": "bepsvpt", - "email": "og7lsrszah6y3lz@infinitefa.email" + "email": "6ibrl@cpp.tw" } ], "description": "Add security related headers to HTTP response. The package includes Service Providers for easy Laravel integration.", @@ -124,11 +127,12 @@ "hsts", "https", "laravel", + "permissions-policy", "referrer-policy" ], "support": { "issues": "https://github.com/bepsvpt/secure-headers/issues", - "source": "https://github.com/bepsvpt/secure-headers/tree/7.5.0" + "source": "https://github.com/bepsvpt/secure-headers/tree/9.1.0" }, "funding": [ { @@ -136,7 +140,7 @@ "type": "open_collective" } ], - "time": "2024-03-14T01:20:05+00:00" + "time": "2026-03-17T22:51:53+00:00" }, { "name": "brick/math", From 07164200fd7116c2891d937c91eb04a7842be348 Mon Sep 17 00:00:00 2001 From: Sebastien Dubois Date: Wed, 17 Jun 2026 14:52:41 +0200 Subject: [PATCH 2/2] chore(deps): migrate secure-headers config for v9 upgrade bepsvpt/secure-headers 7.5 -> 9.1 restructures the config: - drop removed Permissions-Policy directives (battery, execution-while-*, navigation-override, sync-xhr) and non-standard ones no longer shipped - add new Permissions-Policy directives, locked down (=()) to preserve Knowii's deny-by-default posture - drop CSP navigate-to/plugin-types (no longer whitelisted; were no-ops) - restructure CSP sandbox and trusted-types to the v8+ shape - add X-DNS-Prefetch-Control, Reporting-Endpoints, NEL, clear-site-data clientHints Verified: generated CSP header is byte-identical; Permissions-Policy curated self allow-list unchanged. --- config/secure-headers.php | 181 ++++++++++++++++++-------------------- 1 file changed, 86 insertions(+), 95 deletions(-) diff --git a/config/secure-headers.php b/config/secure-headers.php index abf8b4e..44a8a8b 100644 --- a/config/secure-headers.php +++ b/config/secure-headers.php @@ -22,6 +22,18 @@ 'x-content-type-options' => 'nosniff', + /* + * X-DNS-Prefetch-Control + * + * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control + * + * Available Value: 'on', 'off' + * + * Note: when value is empty string, it will not add to response header + */ + + 'x-dns-prefetch-control' => '', + /* * X-Download-Options * @@ -95,7 +107,7 @@ * * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy * - * Available Value: 'unsafe-none', 'require-corp' + * Available Value: 'unsafe-none', 'require-corp', 'credentialless' */ 'cross-origin-embedder-policy' => 'unsafe-none', @@ -127,6 +139,7 @@ 'enable' => false, 'all' => false, 'cache' => true, + 'clientHints' => true, 'cookies' => true, 'storage' => true, 'executionContexts' => true, @@ -147,6 +160,40 @@ 'preload' => true, ], + /* + * Reporting Endpoints + * + * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints + * + * Note: The array key is the endpoint name, and the value is the URL. + */ + + 'reporting' => [ + // 'csp' => 'https://example.com/csp-reports', + // 'nel' => 'https://example.com/nel-reports', + ], + + /* + * Network Error Logging + * + * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Network_Error_Logging + */ + + 'nel' => [ + 'enable' => false, + + // The name of reporting API, not the endpoint URL. + 'report-to' => '', + + 'max-age' => 86400, + + 'include-subdomains' => false, + + 'success-fraction' => 0.0, + + 'failure-fraction' => 1.0, + ], + /* * Expect-CT * @@ -165,12 +212,15 @@ * Permissions Policy * * Reference: https://w3c.github.io/webappsec-permissions-policy/ + * + * Note: Knowii intentionally locks down every feature (=()) by default and + * only allows `self` for the handful of features the app actually needs. + * New features introduced by the package default to locked-down (self => false). */ 'permissions-policy' => [ 'enable' => true, - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/accelerometer 'accelerometer' => [ 'none' => false, '*' => false, @@ -178,7 +228,6 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor 'ambient-light-sensor' => [ 'none' => false, '*' => false, @@ -186,51 +235,48 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/autoplay - 'autoplay' => [ + 'attribution-reporting' => [ 'none' => false, '*' => false, - 'self' => true, + 'self' => false, 'origins' => [], ], - 'battery' => [ + 'autoplay' => [ 'none' => false, '*' => false, - 'self' => false, + 'self' => true, 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/camera - 'camera' => [ + 'bluetooth' => [ 'none' => false, '*' => false, - 'self' => true, + 'self' => false, 'origins' => [], ], - 'clipboard-read' => [ + 'browsing-topics' => [ 'none' => false, '*' => false, - 'self' => true, + 'self' => false, 'origins' => [], ], - 'clipboard-write' => [ + 'camera' => [ 'none' => false, '*' => false, 'self' => true, 'origins' => [], ], - 'conversion-measurement' => [ + 'compute-pressure' => [ 'none' => false, '*' => false, 'self' => false, 'origins' => [], ], - // https://www.chromestatus.com/feature/5690888397258752 'cross-origin-isolated' => [ 'none' => false, '*' => false, @@ -238,7 +284,6 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/display-capture 'display-capture' => [ 'none' => false, '*' => false, @@ -253,7 +298,6 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/encrypted-media 'encrypted-media' => [ 'none' => false, '*' => false, @@ -261,28 +305,6 @@ 'origins' => [], ], - 'execution-while-not-rendered' => [ - 'none' => false, - '*' => false, - 'self' => false, - 'origins' => [], - ], - - 'execution-while-out-of-viewport' => [ - 'none' => false, - '*' => false, - 'self' => false, - 'origins' => [], - ], - - 'focus-without-user-activation' => [ - 'none' => false, - '*' => false, - 'self' => false, - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/fullscreen 'fullscreen' => [ 'none' => false, '*' => false, @@ -297,7 +319,6 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/geolocation 'geolocation' => [ 'none' => false, '*' => false, @@ -305,7 +326,6 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/gyroscope 'gyroscope' => [ 'none' => false, '*' => false, @@ -320,28 +340,27 @@ 'origins' => [], ], - 'idle-detection' => [ + 'identity-credentials-get' => [ 'none' => false, '*' => false, 'self' => false, 'origins' => [], ], - 'interest-cohort' => [ + 'idle-detection' => [ 'none' => false, '*' => false, 'self' => false, 'origins' => [], ], - 'keyboard-map' => [ + 'local-fonts' => [ 'none' => false, '*' => false, 'self' => false, 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/magnetometer 'magnetometer' => [ 'none' => false, '*' => false, @@ -349,7 +368,6 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/microphone 'microphone' => [ 'none' => false, '*' => false, @@ -357,7 +375,6 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/midi 'midi' => [ 'none' => false, '*' => false, @@ -365,14 +382,13 @@ 'origins' => [], ], - 'navigation-override' => [ + 'otp-credentials' => [ 'none' => false, '*' => false, 'self' => false, 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/payment 'payment' => [ 'none' => false, '*' => false, @@ -380,7 +396,6 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/picture-in-picture 'picture-in-picture' => [ 'none' => false, '*' => false, @@ -388,22 +403,20 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials-get - 'publickey-credentials-get' => [ + 'publickey-credentials-create' => [ 'none' => false, '*' => false, 'self' => false, 'origins' => [], ], - 'serial' => [ + 'publickey-credentials-get' => [ 'none' => false, '*' => false, 'self' => false, 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/screen-wake-lock 'screen-wake-lock' => [ 'none' => false, '*' => false, @@ -411,43 +424,27 @@ 'origins' => [], ], - 'speaker-selection' => [ - 'none' => false, - '*' => false, - 'self' => false, - 'origins' => [], - ], - - 'sync-script' => [ - 'none' => false, - '*' => false, - 'self' => false, - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/sync-xhr - 'sync-xhr' => [ + 'serial' => [ 'none' => false, '*' => false, 'self' => false, 'origins' => [], ], - 'trust-token-redemption' => [ + 'speaker-selection' => [ 'none' => false, '*' => false, 'self' => false, 'origins' => [], ], - 'unload' => [ + 'storage-access' => [ 'none' => false, '*' => false, 'self' => false, 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/usb 'usb' => [ 'none' => false, '*' => false, @@ -455,15 +452,6 @@ 'origins' => [], ], - // https://github.com/w3c/webappsec-permissions-policy/blob/main/policies/vertical_scroll.md - 'vertical-scroll' => [ - 'none' => false, - '*' => false, - 'self' => true, - 'origins' => [], - ], - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share 'web-share' => [ 'none' => false, '*' => false, @@ -471,7 +459,6 @@ 'origins' => [], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management 'window-management' => [ 'none' => false, '*' => false, @@ -507,6 +494,9 @@ // uri ], + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content + 'block-all-mixed-content' => false, + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests 'upgrade-insecure-requests' => false, @@ -544,6 +534,11 @@ 'self' => true, ], + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src + 'fenced-frame-src' => [ + // + ], + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src 'font-src' => [ 'self' => true, @@ -608,19 +603,14 @@ ], ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to - 'navigate-to' => [ - 'unsafe-allow-redirects' => false, - ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src 'object-src' => [ // ], - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types - 'plugin-types' => [ - // 'application/pdf', + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src + 'prefetch-src' => [ + // ], // https://w3c.github.io/webappsec-trusted-types/dist/spec/#integration-with-content-security-policy @@ -631,7 +621,7 @@ // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox 'sandbox' => [ 'enable' => false, - 'allow-downloads-without-user-activation' => false, + 'allow-downloads' => false, 'allow-forms' => false, 'allow-modals' => false, 'allow-orientation-lock' => false, @@ -644,6 +634,7 @@ 'allow-storage-access-by-user-activation' => false, 'allow-top-navigation' => false, 'allow-top-navigation-by-user-activation' => false, + 'allow-top-navigation-to-custom-protocols' => false, ], // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src @@ -721,11 +712,11 @@ // ], - // https://w3c.github.io/webappsec-trusted-types/dist/spec/#trusted-types-csp-directive + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types 'trusted-types' => [ 'enable' => false, + 'none' => false, 'allow-duplicates' => false, - 'default' => false, 'policies' => [ // ],