snipe-it/app/Http/Middleware/SecurityHeaders.php

<?php

namespace App\Http\Middleware;

use Closure;

class SecurityHeaders
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */

    // See https://securityheaders.com/
    private $unwantedHeaderList = [
        'X-Powered-By',
        'Server',
    ];

    public function handle($request, Closure $next)
    {
        $this->removeUnwantedHeaders($this->unwantedHeaderList);
        $response = $next($request);

        $response->headers->set('X-Content-Type-Options', 'nosniff');
        $response->headers->set('X-XSS-Protection', '1; mode=block');
        $response->headers->set('Feature-Policy', 'self');

        // Defaults to same-origin if REFERRER_POLICY is not set in the .env
        $response->headers->set('Referrer-Policy', config('app.referrer_policy'));

        // The .env var ALLOW_IFRAMING  defaults to false (which disallows IFRAMING)
        // if not present, but some unique cases require this to be enabled.
        // For example, some IT depts have IFRAMED Snipe-IT into their IT portal
        // for convenience so while it is normally disallowed, there is
        // an override that exists.

        if (config('app.allow_iframing') == false) {
            $response->headers->set('X-Frame-Options', 'DENY');
        }


        // This defaults to false to maintain backwards compatibility
        // people who are not running Snipe-IT over TLS (shame, shame, shame!)
        // Seriously though, please run Snipe-IT over TLS. Let's Encrypt is free.
        // https://letsencrypt.org

        if (config('app.enable_hsts') === true) {
            $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
        }

        // We have to exclude debug mode here because debugbar pulls from a CDN or two
        // and it will break things.

        if ((config('app.debug')!='true')  || (config('app.enable_csp')=='true')) {
            $policy[] = "default-src 'self'";
            $policy[] = "style-src 'self' 'unsafe-inline'";
            $policy[] = "script-src 'self' 'unsafe-inline'";
            $policy[] = "connect-src 'self'";
            $policy[] = "object-src 'none'";
            $policy[] = "font-src 'self' data:";
            $policy[] = "img-src 'self' data: gravatar.com";
            $policy = join(';', $policy);
            $response->headers->set('Content-Security-Policy', $policy);
        }

        return $response;
    }

    private function removeUnwantedHeaders($headerList)
    {
        foreach ($headerList as $header)
            header_remove($header);
    }
}
Additional security headers 2020-06-22 22:31:01 -07:00			`<?php`

			`namespace App\Http\Middleware;`

			`use Closure;`

			`class SecurityHeaders`
			`{`
			`/**`
			`* Handle an incoming request.`
			`*`
			`* @param \Illuminate\Http\Request $request`
			`* @param \Closure $next`
			`* @return mixed`
			`*/`

Changed comment 2020-06-22 22:37:14 -07:00			`// See https://securityheaders.com/`
Additional security headers 2020-06-22 22:31:01 -07:00			`private $unwantedHeaderList = [`
			`'X-Powered-By',`
			`'Server',`
			`];`

			`public function handle($request, Closure $next)`
			`{`
			`$this->removeUnwantedHeaders($this->unwantedHeaderList);`
			`$response = $next($request);`
Added a few more comments 2020-06-23 00:26:09 -07:00
Additional security headers 2020-06-22 22:31:01 -07:00			`$response->headers->set('X-Content-Type-Options', 'nosniff');`
			`$response->headers->set('X-XSS-Protection', '1; mode=block');`
Config variable for HSTS 2020-06-22 23:17:27 -07:00			`$response->headers->set('Feature-Policy', 'self');`
Additional security headers 2020-06-22 22:31:01 -07:00
Added a few more comments 2020-06-23 00:26:09 -07:00			`// Defaults to same-origin if REFERRER_POLICY is not set in the .env`
			`$response->headers->set('Referrer-Policy', config('app.referrer_policy'));`

			`// The .env var ALLOW_IFRAMING defaults to false (which disallows IFRAMING)`
			`// if not present, but some unique cases require this to be enabled.`
			`// For example, some IT depts have IFRAMED Snipe-IT into their IT portal`
			`// for convenience so while it is normally disallowed, there is`
			`// an override that exists.`

Additional security headers 2020-06-22 22:31:01 -07:00			`if (config('app.allow_iframing') == false) {`
			`$response->headers->set('X-Frame-Options', 'DENY');`
			`}`

Config variable for HSTS 2020-06-22 23:17:27 -07:00
			`// This defaults to false to maintain backwards compatibility`
			`// people who are not running Snipe-IT over TLS (shame, shame, shame!)`
			`// Seriously though, please run Snipe-IT over TLS. Let's Encrypt is free.`
			`// https://letsencrypt.org`

			`if (config('app.enable_hsts') === true) {`
			`$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');`
			`}`

			`// We have to exclude debug mode here because debugbar pulls from a CDN or two`
			`// and it will break things.`
Added a few more comments 2020-06-23 00:26:09 -07:00
Config variable for HSTS 2020-06-22 23:17:27 -07:00			`if ((config('app.debug')!='true') \|\| (config('app.enable_csp')=='true')) {`
			`$policy[] = "default-src 'self'";`
			`$policy[] = "style-src 'self' 'unsafe-inline'";`
			`$policy[] = "script-src 'self' 'unsafe-inline'";`
			`$policy[] = "connect-src 'self'";`
			`$policy[] = "object-src 'none'";`
			`$policy[] = "font-src 'self' data:";`
			`$policy[] = "img-src 'self' data: gravatar.com";`
			`$policy = join(';', $policy);`
			`$response->headers->set('Content-Security-Policy', $policy);`
			`}`
Additional security headers 2020-06-22 22:31:01 -07:00
			`return $response;`
			`}`

			`private function removeUnwantedHeaders($headerList)`
			`{`
			`foreach ($headerList as $header)`
			`header_remove($header);`
			`}`
			`}`