mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-24 05:04:07 -08:00
Config variable for HSTS
This commit is contained in:
parent
4fb880384f
commit
05b3a9ad7e
|
@ -71,6 +71,7 @@ ALLOW_IFRAMING=false
|
||||||
REFERRER_POLICY=same-origin
|
REFERRER_POLICY=same-origin
|
||||||
ENABLE_CSP=false
|
ENABLE_CSP=false
|
||||||
CORS_ALLOWED_ORIGINS=null
|
CORS_ALLOWED_ORIGINS=null
|
||||||
|
ENABLE_HSTS=false
|
||||||
|
|
||||||
# --------------------------------------------
|
# --------------------------------------------
|
||||||
# OPTIONAL: CACHE SETTINGS
|
# OPTIONAL: CACHE SETTINGS
|
||||||
|
|
|
@ -24,24 +24,39 @@ class SecurityHeaders
|
||||||
{
|
{
|
||||||
$this->removeUnwantedHeaders($this->unwantedHeaderList);
|
$this->removeUnwantedHeaders($this->unwantedHeaderList);
|
||||||
$response = $next($request);
|
$response = $next($request);
|
||||||
|
|
||||||
$response->headers->set('Referrer-Policy', config('app.referrer_policy'));
|
$response->headers->set('Referrer-Policy', config('app.referrer_policy'));
|
||||||
$response->headers->set('X-Content-Type-Options', 'nosniff');
|
$response->headers->set('X-Content-Type-Options', 'nosniff');
|
||||||
$response->headers->set('X-XSS-Protection', '1; mode=block');
|
$response->headers->set('X-XSS-Protection', '1; mode=block');
|
||||||
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
$response->headers->set('Feature-Policy', 'self');
|
||||||
|
|
||||||
if (config('app.allow_iframing') == false) {
|
if (config('app.allow_iframing') == false) {
|
||||||
$response->headers->set('X-Frame-Options', 'DENY');
|
$response->headers->set('X-Frame-Options', 'DENY');
|
||||||
}
|
}
|
||||||
|
|
||||||
$policy[] = "default-src 'self'";
|
|
||||||
$policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
|
// This defaults to false to maintain backwards compatibility
|
||||||
$policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com";
|
// people who are not running Snipe-IT over TLS (shame, shame, shame!)
|
||||||
$policy[] = "connect-src 'self'";
|
// Seriously though, please run Snipe-IT over TLS. Let's Encrypt is free.
|
||||||
$policy[] = "object-src 'none'";
|
// https://letsencrypt.org
|
||||||
$policy[] = "font-src 'self' data:";
|
|
||||||
$policy[] = "img-src 'self' data: gravatar.com";
|
if (config('app.enable_hsts') === true) {
|
||||||
$policy = join(';', $policy);
|
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
||||||
$response->headers->set('Content-Security-Policy', $policy);
|
}
|
||||||
|
|
||||||
|
// We have to exclude debug mode here because debugbar pulls from a CDN or two
|
||||||
|
// and it will break things.
|
||||||
|
if ((config('app.debug')!='true') || (config('app.enable_csp')=='true')) {
|
||||||
|
$policy[] = "default-src 'self'";
|
||||||
|
$policy[] = "style-src 'self' 'unsafe-inline'";
|
||||||
|
$policy[] = "script-src 'self' 'unsafe-inline'";
|
||||||
|
$policy[] = "connect-src 'self'";
|
||||||
|
$policy[] = "object-src 'none'";
|
||||||
|
$policy[] = "font-src 'self' data:";
|
||||||
|
$policy[] = "img-src 'self' data: gravatar.com";
|
||||||
|
$policy = join(';', $policy);
|
||||||
|
$response->headers->set('Content-Security-Policy', $policy);
|
||||||
|
}
|
||||||
|
|
||||||
return $response;
|
return $response;
|
||||||
}
|
}
|
||||||
|
|
|
@ -197,19 +197,33 @@ return [
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| ALLOW I-FRAMING
|
| ALLOW I-FRAMING
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
|
|
|
|
||||||
| Normal users will never need to edit this. This option lets you run
|
| Normal users will never need to edit this. This option lets you run
|
||||||
| Snipe-IT within an I-Frame, which is normally disabled by default for
|
| Snipe-IT within an I-Frame, which is normally disabled by default for
|
||||||
| security reasons, to prevent clickjacking. It should normally be set to false.
|
| security reasons, to prevent clickjacking. It should normally be set to false.
|
||||||
|
|
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
'allow_iframing' => env('ALLOW_IFRAMING', false),
|
'allow_iframing' => env('ALLOW_IFRAMING', false),
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
|--------------------------------------------------------------------------
|
||||||
|
| ENABLE HTTP Strict Transport Security (HSTS)
|
||||||
|
|--------------------------------------------------------------------------
|
||||||
|
|
|
||||||
|
| This is set to default false for backwards compatibilty but should be
|
||||||
|
| set to true if the hosting environment allows it.
|
||||||
|
|
|
||||||
|
| See https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
|
||||||
|
|
|
||||||
|
*/
|
||||||
|
|
||||||
|
'enable_hsts' => env('ENABLE_HSTS', false),
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|--------------------------------------------------------------------------
|
|--------------------------------------------------------------------------
|
||||||
| REFERRER-POLICY
|
| REFERRER-POLICY
|
||||||
|
|
Loading…
Reference in a new issue