mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-24 21:24:13 -08:00
Additional security headers
This commit is contained in:
parent
b42801f6ae
commit
36c8f7f4f1
|
@ -17,15 +17,12 @@ class Kernel extends HttpKernel
|
||||||
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
|
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
|
||||||
\Illuminate\Session\Middleware\StartSession::class,
|
\Illuminate\Session\Middleware\StartSession::class,
|
||||||
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
|
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
|
||||||
\App\Http\Middleware\FrameGuard::class,
|
|
||||||
\App\Http\Middleware\XssProtectHeader::class,
|
|
||||||
\App\Http\Middleware\ReferrerPolicyHeader::class,
|
|
||||||
\App\Http\Middleware\ContentSecurityPolicyHeader::class,
|
|
||||||
\App\Http\Middleware\NosniffGuard::class,
|
|
||||||
\Fideloper\Proxy\TrustProxies::class,
|
\Fideloper\Proxy\TrustProxies::class,
|
||||||
\App\Http\Middleware\CheckForSetup::class,
|
\App\Http\Middleware\CheckForSetup::class,
|
||||||
\App\Http\Middleware\CheckForDebug::class,
|
\App\Http\Middleware\CheckForDebug::class,
|
||||||
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
|
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
|
||||||
|
\App\Http\Middleware\SecurityHeaders::class,
|
||||||
|
|
||||||
];
|
];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
<?php
|
|
||||||
namespace App\Http\Middleware;
|
|
||||||
|
|
||||||
use Closure;
|
|
||||||
|
|
||||||
class FrameGuard
|
|
||||||
{
|
|
||||||
/**
|
|
||||||
* Handle the given request and get the response.
|
|
||||||
*
|
|
||||||
* @param \Illuminate\Http\Request $request
|
|
||||||
* @param \Closure $next
|
|
||||||
* @return \Illuminate\Http\Response
|
|
||||||
*/
|
|
||||||
public function handle($request, Closure $next)
|
|
||||||
{
|
|
||||||
$response = $next($request);
|
|
||||||
if (config('app.allow_iframing') == false) {
|
|
||||||
$response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
|
|
||||||
}
|
|
||||||
return $response;
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,21 +0,0 @@
|
||||||
<?php
|
|
||||||
namespace App\Http\Middleware;
|
|
||||||
|
|
||||||
use Closure;
|
|
||||||
|
|
||||||
class NosniffGuard
|
|
||||||
{
|
|
||||||
/**
|
|
||||||
* Handle the given request and get the response.
|
|
||||||
*
|
|
||||||
* @param \Illuminate\Http\Request $request
|
|
||||||
* @param \Closure $next
|
|
||||||
* @return \Illuminate\Http\Response
|
|
||||||
*/
|
|
||||||
public function handle($request, Closure $next)
|
|
||||||
{
|
|
||||||
$response = $next($request);
|
|
||||||
$response->headers->set('X-Content-Type-Options', 'nosniff', false);
|
|
||||||
return $response;
|
|
||||||
}
|
|
||||||
}
|
|
56
app/Http/Middleware/SecurityHeaders.php
Normal file
56
app/Http/Middleware/SecurityHeaders.php
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Http\Middleware;
|
||||||
|
|
||||||
|
use Closure;
|
||||||
|
|
||||||
|
class SecurityHeaders
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Handle an incoming request.
|
||||||
|
*
|
||||||
|
* @param \Illuminate\Http\Request $request
|
||||||
|
* @param \Closure $next
|
||||||
|
* @return mixed
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Enumerate headers which you do not want in your application's responses.
|
||||||
|
// Great starting point would be to go check out @Scott_Helme's:
|
||||||
|
// https://securityheaders.com/
|
||||||
|
private $unwantedHeaderList = [
|
||||||
|
'X-Powered-By',
|
||||||
|
'Server',
|
||||||
|
];
|
||||||
|
|
||||||
|
public function handle($request, Closure $next)
|
||||||
|
{
|
||||||
|
$this->removeUnwantedHeaders($this->unwantedHeaderList);
|
||||||
|
$response = $next($request);
|
||||||
|
$response->headers->set('Referrer-Policy', 'no-referrer-when-downgrade');
|
||||||
|
$response->headers->set('X-Content-Type-Options', 'nosniff');
|
||||||
|
$response->headers->set('X-XSS-Protection', '1; mode=block');
|
||||||
|
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
||||||
|
|
||||||
|
if (config('app.allow_iframing') == false) {
|
||||||
|
$response->headers->set('X-Frame-Options', 'DENY');
|
||||||
|
}
|
||||||
|
|
||||||
|
$policy[] = "default-src 'self'";
|
||||||
|
$policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
|
||||||
|
$policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com";
|
||||||
|
$policy[] = "connect-src 'self'";
|
||||||
|
$policy[] = "object-src 'none'";
|
||||||
|
$policy[] = "font-src 'self' data:";
|
||||||
|
$policy[] = "img-src 'self' data: gravatar.com";
|
||||||
|
$policy = join(';', $policy);
|
||||||
|
$response->headers->set('Content-Security-Policy', $policy);
|
||||||
|
|
||||||
|
return $response;
|
||||||
|
}
|
||||||
|
|
||||||
|
private function removeUnwantedHeaders($headerList)
|
||||||
|
{
|
||||||
|
foreach ($headerList as $header)
|
||||||
|
header_remove($header);
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,22 +0,0 @@
|
||||||
<?php
|
|
||||||
namespace App\Http\Middleware;
|
|
||||||
|
|
||||||
use Closure;
|
|
||||||
|
|
||||||
class XssProtectHeader
|
|
||||||
{
|
|
||||||
/**
|
|
||||||
* Handle the given request and get the response.
|
|
||||||
*
|
|
||||||
* @param \Illuminate\Http\Request $request
|
|
||||||
* @param \Closure $next
|
|
||||||
* @return \Illuminate\Http\Response
|
|
||||||
*/
|
|
||||||
public function handle($request, Closure $next)
|
|
||||||
{
|
|
||||||
$mode = '1;mode=block';
|
|
||||||
$response = $next($request);
|
|
||||||
$response->headers->set('X-XSS-Protection', $mode);
|
|
||||||
return $response;
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in a new issue