ENHANCEMENT: added CSP again

config/services.yaml

@@ -5,6 +5,9 @@
 # https://symfony.com/doc/current/best_practices.html#use-parameters-for-application-configuration
 parameters:
     enabled_locales: 'en|nl'
+    security:
+        csp_policy: "default-src 'none'; font-src 'self' data:; style-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; form-action 'self'; require-trusted-types-for 'script'; frame-ancestors 'none'; base-uri 'none'"
+        referer_policy: "same-origin"
 
 services:
     # default configuration for services in *this* file

src/EventSubscriber/LocaleSubscriber.php

@@ -1,6 +1,5 @@
 <?php
 
-// src/EventSubscriber/LocaleSubscriber.php
 namespace App\EventSubscriber;
 
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;

src/EventSubscriber/SecurityHeadersSubscriber.php

@@ -0,0 +1,35 @@
+<?php
+
+namespace App\EventSubscriber;
+
+use Symfony\Component\DependencyInjection\ParameterBag\ContainerBagInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\ResponseEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+class SecurityHeadersSubscriber implements EventSubscriberInterface
+{
+    private $params;
+
+    public function __construct(ContainerBagInterface $params)
+    {
+        $this->params = $params;
+    }
+
+    public function onResponse(ResponseEvent $event)
+    {
+        $response = $event->getResponse();
+        $securitypolicy = $this->params->get('security');
+        $csp = $securitypolicy['csp_policy'];
+        $referer = $securitypolicy['referer_policy'];
+        $response->headers->set("Content-Security-Policy", $csp);
+        $response->headers->set("Referrer-Policy", $referer);
+    }
+
+    public static function getSubscribedEvents()
+    {
+        return [
+            KernelEvents::RESPONSE => 'onResponse'
+        ];
+    }
+}