Config variable for HSTS

This commit is contained in:
snipe 2020-06-22 23:17:27 -07:00
parent 4fb880384f
commit 05b3a9ad7e
No known key found for this signature in database
GPG key ID: 10BFFDA3ED34B5AC
3 changed files with 49 additions and 19 deletions

View file

@ -71,6 +71,7 @@ ALLOW_IFRAMING=false
REFERRER_POLICY=same-origin REFERRER_POLICY=same-origin
ENABLE_CSP=false ENABLE_CSP=false
CORS_ALLOWED_ORIGINS=null CORS_ALLOWED_ORIGINS=null
ENABLE_HSTS=false
# -------------------------------------------- # --------------------------------------------
# OPTIONAL: CACHE SETTINGS # OPTIONAL: CACHE SETTINGS

View file

@ -24,24 +24,39 @@ class SecurityHeaders
{ {
$this->removeUnwantedHeaders($this->unwantedHeaderList); $this->removeUnwantedHeaders($this->unwantedHeaderList);
$response = $next($request); $response = $next($request);
$response->headers->set('Referrer-Policy', config('app.referrer_policy')); $response->headers->set('Referrer-Policy', config('app.referrer_policy'));
$response->headers->set('X-Content-Type-Options', 'nosniff'); $response->headers->set('X-Content-Type-Options', 'nosniff');
$response->headers->set('X-XSS-Protection', '1; mode=block'); $response->headers->set('X-XSS-Protection', '1; mode=block');
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); $response->headers->set('Feature-Policy', 'self');
if (config('app.allow_iframing') == false) { if (config('app.allow_iframing') == false) {
$response->headers->set('X-Frame-Options', 'DENY'); $response->headers->set('X-Frame-Options', 'DENY');
} }
$policy[] = "default-src 'self'";
$policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com"; // This defaults to false to maintain backwards compatibility
$policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com"; // people who are not running Snipe-IT over TLS (shame, shame, shame!)
$policy[] = "connect-src 'self'"; // Seriously though, please run Snipe-IT over TLS. Let's Encrypt is free.
$policy[] = "object-src 'none'"; // https://letsencrypt.org
$policy[] = "font-src 'self' data:";
$policy[] = "img-src 'self' data: gravatar.com"; if (config('app.enable_hsts') === true) {
$policy = join(';', $policy); $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
$response->headers->set('Content-Security-Policy', $policy); }
// We have to exclude debug mode here because debugbar pulls from a CDN or two
// and it will break things.
if ((config('app.debug')!='true') || (config('app.enable_csp')=='true')) {
$policy[] = "default-src 'self'";
$policy[] = "style-src 'self' 'unsafe-inline'";
$policy[] = "script-src 'self' 'unsafe-inline'";
$policy[] = "connect-src 'self'";
$policy[] = "object-src 'none'";
$policy[] = "font-src 'self' data:";
$policy[] = "img-src 'self' data: gravatar.com";
$policy = join(';', $policy);
$response->headers->set('Content-Security-Policy', $policy);
}
return $response; return $response;
} }

View file

@ -197,19 +197,33 @@ return [
/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
| ALLOW I-FRAMING | ALLOW I-FRAMING
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
| |
| Normal users will never need to edit this. This option lets you run | Normal users will never need to edit this. This option lets you run
| Snipe-IT within an I-Frame, which is normally disabled by default for | Snipe-IT within an I-Frame, which is normally disabled by default for
| security reasons, to prevent clickjacking. It should normally be set to false. | security reasons, to prevent clickjacking. It should normally be set to false.
| |
*/ */
'allow_iframing' => env('ALLOW_IFRAMING', false), 'allow_iframing' => env('ALLOW_IFRAMING', false),
/*
|--------------------------------------------------------------------------
| ENABLE HTTP Strict Transport Security (HSTS)
|--------------------------------------------------------------------------
|
| This is set to default false for backwards compatibilty but should be
| set to true if the hosting environment allows it.
|
| See https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
|
*/
'enable_hsts' => env('ENABLE_HSTS', false),
/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
| REFERRER-POLICY | REFERRER-POLICY