mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-23 12:44:12 -08:00
Merge pull request #8164 from snipe/features/additional_security_headers
Additional security headers
This commit is contained in:
commit
2390d2160b
|
@ -71,6 +71,7 @@ ALLOW_IFRAMING=false
|
|||
REFERRER_POLICY=same-origin
|
||||
ENABLE_CSP=false
|
||||
CORS_ALLOWED_ORIGINS=null
|
||||
ENABLE_HSTS=false
|
||||
|
||||
# --------------------------------------------
|
||||
# OPTIONAL: CACHE SETTINGS
|
||||
|
|
|
@ -17,15 +17,12 @@ class Kernel extends HttpKernel
|
|||
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
|
||||
\Illuminate\Session\Middleware\StartSession::class,
|
||||
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
|
||||
\App\Http\Middleware\FrameGuard::class,
|
||||
\App\Http\Middleware\XssProtectHeader::class,
|
||||
\App\Http\Middleware\ReferrerPolicyHeader::class,
|
||||
\App\Http\Middleware\ContentSecurityPolicyHeader::class,
|
||||
\App\Http\Middleware\NosniffGuard::class,
|
||||
\Fideloper\Proxy\TrustProxies::class,
|
||||
\App\Http\Middleware\CheckForSetup::class,
|
||||
\App\Http\Middleware\CheckForDebug::class,
|
||||
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
|
||||
\App\Http\Middleware\SecurityHeaders::class,
|
||||
|
||||
];
|
||||
|
||||
/**
|
||||
|
|
|
@ -1,35 +0,0 @@
|
|||
<?php
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
|
||||
class ContentSecurityPolicyHeader
|
||||
{
|
||||
/**
|
||||
* Handle the given request and get the response.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param \Closure $next
|
||||
* @return \Illuminate\Http\Response
|
||||
*/
|
||||
public function handle($request, Closure $next)
|
||||
{
|
||||
if ((config('app.debug')=='true') || (config('app.enable_csp')!='true')) {
|
||||
$response = $next($request);
|
||||
return $response;
|
||||
}
|
||||
|
||||
$policy[] = "default-src 'self'";
|
||||
$policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
|
||||
$policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com";
|
||||
$policy[] = "connect-src 'self'";
|
||||
$policy[] = "object-src 'none'";
|
||||
$policy[] = "font-src 'self' data:";
|
||||
$policy[] = "img-src 'self' data: gravatar.com";
|
||||
$policy = join(';', $policy);
|
||||
|
||||
$response = $next($request);
|
||||
$response->headers->set('Content-Security-Policy', $policy);
|
||||
return $response;
|
||||
}
|
||||
}
|
|
@ -1,24 +0,0 @@
|
|||
<?php
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
|
||||
class FrameGuard
|
||||
{
|
||||
/**
|
||||
* Handle the given request and get the response.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param \Closure $next
|
||||
* @return \Illuminate\Http\Response
|
||||
*/
|
||||
public function handle($request, Closure $next)
|
||||
{
|
||||
$response = $next($request);
|
||||
if (config('app.allow_iframing') == false) {
|
||||
$response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
|
||||
}
|
||||
return $response;
|
||||
|
||||
}
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
<?php
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
|
||||
class NosniffGuard
|
||||
{
|
||||
/**
|
||||
* Handle the given request and get the response.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param \Closure $next
|
||||
* @return \Illuminate\Http\Response
|
||||
*/
|
||||
public function handle($request, Closure $next)
|
||||
{
|
||||
$response = $next($request);
|
||||
$response->headers->set('X-Content-Type-Options', 'nosniff', false);
|
||||
return $response;
|
||||
}
|
||||
}
|
|
@ -1,21 +0,0 @@
|
|||
<?php
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
|
||||
class ReferrerPolicyHeader
|
||||
{
|
||||
/**
|
||||
* Handle the given request and get the response.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param \Closure $next
|
||||
* @return \Illuminate\Http\Response
|
||||
*/
|
||||
public function handle($request, Closure $next)
|
||||
{
|
||||
$response = $next($request);
|
||||
$response->headers->set('Referrer-Policy', config('app.referrer_policy'));
|
||||
return $response;
|
||||
}
|
||||
}
|
78
app/Http/Middleware/SecurityHeaders.php
Normal file
78
app/Http/Middleware/SecurityHeaders.php
Normal file
|
@ -0,0 +1,78 @@
|
|||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
|
||||
class SecurityHeaders
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param \Closure $next
|
||||
* @return mixed
|
||||
*/
|
||||
|
||||
// See https://securityheaders.com/
|
||||
private $unwantedHeaderList = [
|
||||
'X-Powered-By',
|
||||
'Server',
|
||||
];
|
||||
|
||||
public function handle($request, Closure $next)
|
||||
{
|
||||
$this->removeUnwantedHeaders($this->unwantedHeaderList);
|
||||
$response = $next($request);
|
||||
|
||||
$response->headers->set('X-Content-Type-Options', 'nosniff');
|
||||
$response->headers->set('X-XSS-Protection', '1; mode=block');
|
||||
$response->headers->set('Feature-Policy', 'self');
|
||||
|
||||
// Defaults to same-origin if REFERRER_POLICY is not set in the .env
|
||||
$response->headers->set('Referrer-Policy', config('app.referrer_policy'));
|
||||
|
||||
// The .env var ALLOW_IFRAMING defaults to false (which disallows IFRAMING)
|
||||
// if not present, but some unique cases require this to be enabled.
|
||||
// For example, some IT depts have IFRAMED Snipe-IT into their IT portal
|
||||
// for convenience so while it is normally disallowed, there is
|
||||
// an override that exists.
|
||||
|
||||
if (config('app.allow_iframing') == false) {
|
||||
$response->headers->set('X-Frame-Options', 'DENY');
|
||||
}
|
||||
|
||||
|
||||
// This defaults to false to maintain backwards compatibility
|
||||
// people who are not running Snipe-IT over TLS (shame, shame, shame!)
|
||||
// Seriously though, please run Snipe-IT over TLS. Let's Encrypt is free.
|
||||
// https://letsencrypt.org
|
||||
|
||||
if (config('app.enable_hsts') === true) {
|
||||
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
||||
}
|
||||
|
||||
// We have to exclude debug mode here because debugbar pulls from a CDN or two
|
||||
// and it will break things.
|
||||
|
||||
if ((config('app.debug')!='true') || (config('app.enable_csp')=='true')) {
|
||||
$policy[] = "default-src 'self'";
|
||||
$policy[] = "style-src 'self' 'unsafe-inline'";
|
||||
$policy[] = "script-src 'self' 'unsafe-inline'";
|
||||
$policy[] = "connect-src 'self'";
|
||||
$policy[] = "object-src 'none'";
|
||||
$policy[] = "font-src 'self' data:";
|
||||
$policy[] = "img-src 'self' data: gravatar.com";
|
||||
$policy = join(';', $policy);
|
||||
$response->headers->set('Content-Security-Policy', $policy);
|
||||
}
|
||||
|
||||
return $response;
|
||||
}
|
||||
|
||||
private function removeUnwantedHeaders($headerList)
|
||||
{
|
||||
foreach ($headerList as $header)
|
||||
header_remove($header);
|
||||
}
|
||||
}
|
|
@ -1,22 +0,0 @@
|
|||
<?php
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
|
||||
class XssProtectHeader
|
||||
{
|
||||
/**
|
||||
* Handle the given request and get the response.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param \Closure $next
|
||||
* @return \Illuminate\Http\Response
|
||||
*/
|
||||
public function handle($request, Closure $next)
|
||||
{
|
||||
$mode = '1;mode=block';
|
||||
$response = $next($request);
|
||||
$response->headers->set('X-XSS-Protection', $mode);
|
||||
return $response;
|
||||
}
|
||||
}
|
|
@ -197,19 +197,33 @@ return [
|
|||
|
||||
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
| ALLOW I-FRAMING
|
||||
|--------------------------------------------------------------------------
|
||||
|
|
||||
| Normal users will never need to edit this. This option lets you run
|
||||
| Snipe-IT within an I-Frame, which is normally disabled by default for
|
||||
| security reasons, to prevent clickjacking. It should normally be set to false.
|
||||
|
|
||||
*/
|
||||
|--------------------------------------------------------------------------
|
||||
| ALLOW I-FRAMING
|
||||
|--------------------------------------------------------------------------
|
||||
|
|
||||
| Normal users will never need to edit this. This option lets you run
|
||||
| Snipe-IT within an I-Frame, which is normally disabled by default for
|
||||
| security reasons, to prevent clickjacking. It should normally be set to false.
|
||||
|
|
||||
*/
|
||||
|
||||
'allow_iframing' => env('ALLOW_IFRAMING', false),
|
||||
|
||||
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
| ENABLE HTTP Strict Transport Security (HSTS)
|
||||
|--------------------------------------------------------------------------
|
||||
|
|
||||
| This is set to default false for backwards compatibilty but should be
|
||||
| set to true if the hosting environment allows it.
|
||||
|
|
||||
| See https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
|
||||
|
|
||||
*/
|
||||
|
||||
'enable_hsts' => env('ENABLE_HSTS', false),
|
||||
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
| REFERRER-POLICY
|
||||
|
|
Loading…
Reference in a new issue