mirror of
https://github.com/snipe/snipe-it.git
synced 2024-11-13 17:14:10 -08:00
Added a few more comments
This commit is contained in:
parent
05b3a9ad7e
commit
00b051b8c7
|
@ -25,11 +25,19 @@ class SecurityHeaders
|
||||||
$this->removeUnwantedHeaders($this->unwantedHeaderList);
|
$this->removeUnwantedHeaders($this->unwantedHeaderList);
|
||||||
$response = $next($request);
|
$response = $next($request);
|
||||||
|
|
||||||
$response->headers->set('Referrer-Policy', config('app.referrer_policy'));
|
|
||||||
$response->headers->set('X-Content-Type-Options', 'nosniff');
|
$response->headers->set('X-Content-Type-Options', 'nosniff');
|
||||||
$response->headers->set('X-XSS-Protection', '1; mode=block');
|
$response->headers->set('X-XSS-Protection', '1; mode=block');
|
||||||
$response->headers->set('Feature-Policy', 'self');
|
$response->headers->set('Feature-Policy', 'self');
|
||||||
|
|
||||||
|
// Defaults to same-origin if REFERRER_POLICY is not set in the .env
|
||||||
|
$response->headers->set('Referrer-Policy', config('app.referrer_policy'));
|
||||||
|
|
||||||
|
// The .env var ALLOW_IFRAMING defaults to false (which disallows IFRAMING)
|
||||||
|
// if not present, but some unique cases require this to be enabled.
|
||||||
|
// For example, some IT depts have IFRAMED Snipe-IT into their IT portal
|
||||||
|
// for convenience so while it is normally disallowed, there is
|
||||||
|
// an override that exists.
|
||||||
|
|
||||||
if (config('app.allow_iframing') == false) {
|
if (config('app.allow_iframing') == false) {
|
||||||
$response->headers->set('X-Frame-Options', 'DENY');
|
$response->headers->set('X-Frame-Options', 'DENY');
|
||||||
}
|
}
|
||||||
|
@ -46,6 +54,7 @@ class SecurityHeaders
|
||||||
|
|
||||||
// We have to exclude debug mode here because debugbar pulls from a CDN or two
|
// We have to exclude debug mode here because debugbar pulls from a CDN or two
|
||||||
// and it will break things.
|
// and it will break things.
|
||||||
|
|
||||||
if ((config('app.debug')!='true') || (config('app.enable_csp')=='true')) {
|
if ((config('app.debug')!='true') || (config('app.enable_csp')=='true')) {
|
||||||
$policy[] = "default-src 'self'";
|
$policy[] = "default-src 'self'";
|
||||||
$policy[] = "style-src 'self' 'unsafe-inline'";
|
$policy[] = "style-src 'self' 'unsafe-inline'";
|
||||||
|
|
Loading…
Reference in a new issue