Move security headers from Caddyfiles to PHP middleware by Copilot · Pull Request #7820 · nextcloud/all-in-one
- Add SecurityHeadersMiddleware that sets Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, X-Permitted-Cross-Domain-Policies, X-DNS-Prefetch-Control, Referrer-Policy, and X-Robots-Tag on all responses - Register SecurityHeadersMiddleware in index.php - Add click-handlers.js for CSP-compliant event handling (data-confirm, data-stop-event-propagation) - Update toggle-dark-mode.js to attach click handler via addEventListener - Remove inline onclick from theme toggle button in layout.twig - Replace all inline onclick with data-confirm in containers.twig, community-containers.twig, and optional-containers.twig Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com> Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d87889ba-d2ad-4d76-b257-2afd725dac28