feat: add app and database modules

app/Http/Middleware/SecurityHeaders.php

@@ -0,0 +1,77 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class SecurityHeaders
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  Closure(Request): (Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        $response = $next($request);
+
+        // 🛡️ SECURITY HEADERS
+
+        // Prevent Clickjacking
+        $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
+
+        // Prevent Mime-Type Sniffing
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+
+        // Cross-Site Scripting (XSS) Protection (for older browsers)
+        $response->headers->set('X-XSS-Protection', '1; mode=block');
+
+        // Referrer Policy
+        $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
+
+        // Permissions Policy
+        $response->headers->set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+
+        // Content Security Policy — enforced (current CDN stack requires unsafe-inline/eval)
+        $cdnSources = 'https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://cdn.datatables.net https://cdn.ckeditor.com https://unpkg.com https://code.jquery.com https://www.google.com https://www.gstatic.com';
+        $csp = implode('; ', [
+            "default-src 'self'",
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval' {$cdnSources}",
+            "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://cdn.datatables.net https://unpkg.com https://fonts.googleapis.com",
+            "font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://cdnjs.cloudflare.com",
+            "img-src 'self' data: blob: https:",
+            "connect-src 'self' https://o*.ingest.sentry.io wss:",
+            "frame-src 'self' https://www.google.com",
+            "object-src 'none'",
+            "base-uri 'self'",
+            "form-action 'self'",
+        ]);
+        $response->headers->set('Content-Security-Policy', $csp);
+
+        // Report-Only: stricter policy (no unsafe-inline/eval) — violations logged in browser
+        // console without blocking users. Use this to audit inline scripts before tightening
+        // the enforced policy above.
+        $cspReportOnly = implode('; ', [
+            "default-src 'self'",
+            "script-src 'self' {$cdnSources}",
+            "style-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://cdn.datatables.net https://unpkg.com https://fonts.googleapis.com",
+            "font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://cdnjs.cloudflare.com",
+            "img-src 'self' data: blob: https:",
+            "connect-src 'self' https://o*.ingest.sentry.io wss:",
+            "frame-src 'self' https://www.google.com",
+            "object-src 'none'",
+            "base-uri 'self'",
+            "form-action 'self'",
+        ]);
+        $response->headers->set('Content-Security-Policy-Report-Only', $cspReportOnly);
+
+        // Strict-Transport-Security (Only if HTTPS)
+        if ($request->isSecure()) {
+            $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        }
+
+        return $response;
+    }
+}