diff --git a/.env.example b/.env.example
index 35f2277b37..936eb4b29d 100644
--- a/.env.example
+++ b/.env.example
@@ -63,7 +63,13 @@ ENCRYPT=false
COOKIE_NAME=snipeit_session
COOKIE_DOMAIN=null
SECURE_COOKIES=false
+
+
+# --------------------------------------------
+# OPTIONAL: SECURITY HEADER SETTINGS
+# --------------------------------------------
REFERRER_POLICY=strict-origin
+DISABLE_CSP=false
# --------------------------------------------
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index f46813734b..b305ef94e2 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -20,6 +20,7 @@ class Kernel extends HttpKernel
\App\Http\Middleware\FrameGuard::class,
\App\Http\Middleware\XssProtectHeader::class,
\App\Http\Middleware\ReferrerPolicyHeader::class,
+ \App\Http\Middleware\ContentSecurityPolicyHeader::class,
\App\Http\Middleware\NosniffGuard::class,
\App\Http\Middleware\CheckForSetup::class,
\Fideloper\Proxy\TrustProxies::class,
diff --git a/app/Http/Middleware/ContentSecurityPolicyHeader.php b/app/Http/Middleware/ContentSecurityPolicyHeader.php
new file mode 100644
index 0000000000..a85c430e63
--- /dev/null
+++ b/app/Http/Middleware/ContentSecurityPolicyHeader.php
@@ -0,0 +1,35 @@
+headers->set('Content-Security-Policy', $policy);
+ return $response;
+ }
+}
diff --git a/config/app.php b/config/app.php
index 451fd17de1..39f92f0087 100755
--- a/config/app.php
+++ b/config/app.php
@@ -169,6 +169,24 @@ return [
'referrer_policy' => env('REFERRER_POLICY', 'strict-origin'),
+ /*
+ |--------------------------------------------------------------------------
+ | CSP
+ |--------------------------------------------------------------------------
+ |
+ | Disable the content security policy that restricts what scripts, images
+ | and styles can load. (This should be left as false if you don't know
+ | what this means.)
+ |
+ | Read more: https://www.w3.org/TR/CSP/
+ | Read more: https://content-security-policy.com
+ |
+ */
+
+ 'disable_csp' => env('DISABLE_CSP', false),
+
+
+
/*
|--------------------------------------------------------------------------
diff --git a/public/.htaccess b/public/.htaccess
index eafa69a6e6..513d3714c4 100644
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -5,10 +5,12 @@
RewriteEngine On
- # Uncomment these two lines to force SSL redirect
+ # Uncomment these two lines to force SSL redirect in Apache
# RewriteCond %{HTTPS} off
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
+
+
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
@@ -21,4 +23,11 @@
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+ # Security Headers
+ Header set Strict-Transport-Security "max-age=2592000" env=HTTPS
+ Header set X-XSS-Protection "1; mode=block"
+ Header set X-Content-Type-Options nosniff
+ Header set X-Permitted-Cross-Domain-Policies "master-only"
+
diff --git a/resources/views/account/accept-asset.blade.php b/resources/views/account/accept-asset.blade.php
index fcb4d3ec56..f7602b5cdb 100644
--- a/resources/views/account/accept-asset.blade.php
+++ b/resources/views/account/accept-asset.blade.php
@@ -94,7 +94,7 @@
@section('moar_scripts')
-
-@endsection
\ No newline at end of file
+@endsection
diff --git a/resources/views/account/requestable-assets.blade.php b/resources/views/account/requestable-assets.blade.php
index 31b69cf53a..6d492fad86 100644
--- a/resources/views/account/requestable-assets.blade.php
+++ b/resources/views/account/requestable-assets.blade.php
@@ -149,7 +149,7 @@
@section('moar_scripts')
-
-