Added content security middleware

2024-09-19 23:37:38 -07:00 · 2017-09-28 19:45:15 -07:00 · 2017-09-28 19:45:15 -07:00 · 46d87849f4
parent 507f1f196c
commit 46d87849f4
33 changed files with 107 additions and 38 deletions
--- a/.env.example
+++ b/.env.example
@ -63,7 +63,13 @@ ENCRYPT=false
 COOKIE_NAME=snipeit_session
 COOKIE_DOMAIN=null
 SECURE_COOKIES=false
+
+
+# --------------------------------------------
+# OPTIONAL: SECURITY HEADER SETTINGS
+# --------------------------------------------
 REFERRER_POLICY=strict-origin
+DISABLE_CSP=false


 # --------------------------------------------
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -20,6 +20,7 @@ class Kernel extends HttpKernel
        \App\Http\Middleware\FrameGuard::class,
        \App\Http\Middleware\XssProtectHeader::class,
        \App\Http\Middleware\ReferrerPolicyHeader::class,
+        \App\Http\Middleware\ContentSecurityPolicyHeader::class,
        \App\Http\Middleware\NosniffGuard::class,
        \App\Http\Middleware\CheckForSetup::class,
        \Fideloper\Proxy\TrustProxies::class,
--- a/app/Http/Middleware/ContentSecurityPolicyHeader.php
+++ b/app/Http/Middleware/ContentSecurityPolicyHeader.php
@ -0,0 +1,35 @@
+<?php
+namespace App\Http\Middleware;
+
+use Closure;
+
+class ContentSecurityPolicyHeader
+{
+    /**
+     * Handle the given request and get the response.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return \Illuminate\Http\Response
+     */
+    public function handle($request, Closure $next)
+    {
+        if (config('app.disable_csp')=='true') {
+            $response = $next($request);
+            return $response;
+        }
+
+        $policy[] = "default-src 'self'";
+        $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
+        $policy[] = "script-src 'self' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'";
+        $policy[] = "connect-src 'self'";
+        $policy[] = "object-src 'none'";
+        $policy[] = "font-src 'self' data:";
+        $policy[] = "img-src 'self' data: gravatar.com";
+        $policy = join(';', $policy);
+
+        $response = $next($request);
+        $response->headers->set('Content-Security-Policy', $policy);
+        return $response;
+    }
+}
--- a/config/app.php
+++ b/config/app.php
@ -169,6 +169,24 @@ return [

    'referrer_policy' => env('REFERRER_POLICY', 'strict-origin'),

+    /*
+    |--------------------------------------------------------------------------
+    | CSP
+    |--------------------------------------------------------------------------
+    |
+    | Disable the content security policy that restricts what scripts, images
+    | and styles can load. (This should be left as false if you don't know
+    | what this means.)
+    |
+    | Read more: https://www.w3.org/TR/CSP/
+    | Read more: https://content-security-policy.com
+    |
+    */
+
+    'disable_csp' => env('DISABLE_CSP', false),
+
+
+

    /*
    |--------------------------------------------------------------------------
--- a/public/.htaccess
+++ b/public/.htaccess
@ -5,10 +5,12 @@

    RewriteEngine On

-    # Uncomment these two lines to force SSL redirect
+    # Uncomment these two lines to force SSL redirect in Apache
    # RewriteCond %{HTTPS} off
    # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

+
+
    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)/$ /$1 [L,R=301]
@ -21,4 +23,11 @@
    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+    # Security Headers
+    Header set Strict-Transport-Security "max-age=2592000" env=HTTPS
+    Header set X-XSS-Protection "1; mode=block"
+    Header set X-Content-Type-Options nosniff
+    Header set X-Permitted-Cross-Domain-Policies "master-only"
+
 </IfModule>
--- a/resources/views/account/accept-asset.blade.php
+++ b/resources/views/account/accept-asset.blade.php
@ -94,7 +94,7 @@
@section('moar_scripts')

    <script src="{{ asset('js/signature_pad.min.js') }}"></script>
-    <script>
+    <script nonce="{{ csrf_token() }}">
        var wrapper = document.getElementById("signature-pad"),
                clearButton = wrapper.querySelector("[data-action=clear]"),
                saveButton = wrapper.querySelector("[data-action=save]"),
--- a/resources/views/account/api.blade.php
+++ b/resources/views/account/api.blade.php
@ -16,9 +16,9 @@
@stop

@section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
    new Vue({
        el: "#app",
    });
 </script>
-@endsection
+@endsection
--- a/resources/views/account/requestable-assets.blade.php
+++ b/resources/views/account/requestable-assets.blade.php
@ -149,7 +149,7 @@


@section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">

    $( "a[name='Request']").click(function(event) {
        // event.preventDefault();
--- a/resources/views/asset_maintenances/index.blade.php
+++ b/resources/views/asset_maintenances/index.blade.php
@ -58,7 +58,7 @@

@section('moar_scripts')
@include ('partials.bootstrap-table', ['exportFile' => 'maintenances-export', 'search' => true])
-<script>
+<script nonce="{{ csrf_token() }}">
    function maintenanceActions(value, row) {
        var actions = '<nobr>';
        if ((row) && (row.available_actions.update === true)) {
--- a/resources/views/custom_fields/fields/edit.blade.php
+++ b/resources/views/custom_fields/fields/edit.blade.php
@ -134,7 +134,7 @@
@stop

@section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
    $(document).ready(function(){

        // Only display the custom format field if it's a custom format validation type
--- a/resources/views/custom_fields/fieldsets/view.blade.php
+++ b/resources/views/custom_fields/fieldsets/view.blade.php
@ -82,7 +82,7 @@
@stop

@section('moar_scripts')
-  <script>
+  <script nonce="{{ csrf_token() }}">
  var fixHelperModified = function(e, tr) {
      var $originals = tr.children();
      var $helper = tr.clone();
--- a/resources/views/dashboard.blade.php
+++ b/resources/views/dashboard.blade.php
@ -253,7 +253,7 @@
@endif


-<script>
+<script nonce="{{ csrf_token() }}">



--- a/resources/views/hardware/bulk-checkout.blade.php
+++ b/resources/views/hardware/bulk-checkout.blade.php
@ -107,7 +107,7 @@
@stop

@section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
 $(function() {
  $('#assigned_to').on("change",function () {
    // console.warn("Model Id has changed!");
--- a/resources/views/hardware/checkout.blade.php
+++ b/resources/views/hardware/checkout.blade.php
@ -154,7 +154,7 @@
@stop

@section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
 $(function() {
  $('#assigned_user').on("change",function () {
    var userid = $('#assigned_user option:selected').val();
--- a/resources/views/hardware/edit.blade.php
+++ b/resources/views/hardware/edit.blade.php
@ -160,7 +160,7 @@
@stop

@section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">



--- a/resources/views/hardware/history.blade.php
+++ b/resources/views/hardware/history.blade.php
@ -190,7 +190,7 @@
            @endif

        </div></div></div>
-<script>
+<script nonce="{{ csrf_token() }}">
 $(document).ready(function(){

    $('#generate-password').pGenerator({
--- a/resources/views/hardware/quickscan.blade.php
+++ b/resources/views/hardware/quickscan.blade.php
@ -125,7 +125,7 @@


@section('moar_scripts')
-    <script>
+    <script nonce="{{ csrf_token() }}">

        $("#audit-form").submit(function (event) {
            $('#audited-div').show();
--- a/resources/views/hardware/view.blade.php
+++ b/resources/views/hardware/view.blade.php
@ -703,7 +703,7 @@
@section('moar_scripts')
  @include ('partials.bootstrap-table', ['simple_view' => true])

-<script>
+<script nonce="{{ csrf_token() }}">
    $(document).delegate('*[data-toggle="lightbox"]', 'click', function(event) {
        event.preventDefault();
        $(this).ekkoLightbox();
--- a/resources/views/importer/import.blade.php
+++ b/resources/views/importer/import.blade.php
@ -83,7 +83,7 @@
@stop

@section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
    new Vue({
        el: '#app'
    });
--- a/resources/views/layouts/default.blade.php
+++ b/resources/views/layouts/default.blade.php
@ -27,13 +27,13 @@

    <meta name="csrf-token" content="{{ csrf_token() }}">

-      <script>
+      <script nonce="{{ csrf_token() }}">
          window.Laravel = { csrfToken: '{{ csrf_token() }}' };
      </script>



-      <style>
+      <style nonce="{{ csrf_token() }}">
        @if ($snipeSettings)
            @if ($snipeSettings->header_color)
            .main-header .navbar, .main-header .logo {
@ -70,7 +70,7 @@



-    <script>
+    <script nonce="{{ csrf_token() }}">
          window.snipeit = {
              settings: {
                  "per_page": {{ $snipeSettings->per_page }}
@ -662,7 +662,7 @@


    <script src="{{ url(mix('js/dist/all.js')) }}"></script>
-    <script>
+    <script nonce="{{ csrf_token() }}">
        $(function () {
            var datepicker = $.fn.datepicker.noConflict(); // return $.fn.datepicker to previously assigned value
            $.fn.bootstrapDP = datepicker;
@ -677,14 +677,14 @@
    @section('moar_scripts')
    @show

-    <script>
+    <script nonce="{{ csrf_token() }}">
        $(function () {
            $('[data-toggle="tooltip"]').tooltip();
        })
    </script>

    @if ((Session::get('topsearch')=='true') || (Request::is('/')))
-    <script>
+    <script nonce="{{ csrf_token() }}">
         $("#tagSearch").focus();
    </script>
    @endif
--- a/resources/views/layouts/setup.blade.php
+++ b/resources/views/layouts/setup.blade.php
@ -13,7 +13,7 @@



-        <script>
+        <script nonce="{{ csrf_token() }}">
            window.snipeit = {
                settings: {
                    "per_page": 20
@ -120,7 +120,7 @@
          </div>
          <script src="{{ url(mix('js/dist/all.js')) }}"></script>

-        <script>
+        <script nonce="{{ csrf_token() }}">
            $(function () {
                $(".select2").select2();
            });
--- a/resources/views/locations/edit.blade.php
+++ b/resources/views/locations/edit.blade.php
@ -62,7 +62,7 @@

@if (!$item->id)
@section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">

    var $eventSelect = $(".parent");
    $eventSelect.on("change", function () { parent_details($eventSelect.val()); });
--- a/resources/views/modals/user.blade.php
+++ b/resources/views/modals/user.blade.php
@ -1,7 +1,7 @@

 <script src="/js/pGenerator.jquery.js"></script>

-<script>
+<script nonce="{{ csrf_token() }}">
    $(document).ready(function () {

        $('#genPassword').pGenerator({
--- a/resources/views/partials/bootstrap-table.blade.php
+++ b/resources/views/partials/bootstrap-table.blade.php
@ -13,7 +13,7 @@
 <script src="{{ asset('js/extensions/toolbar/bootstrap-table-toolbar.js') }}"></script>
@endif

-<script>
+<script nonce="{{ csrf_token() }}">
 $('.snipe-table').bootstrapTable({
        classes: 'table table-responsive table-no-bordered',
        undefinedText: '',
--- a/resources/views/settings/api.blade.php
+++ b/resources/views/settings/api.blade.php
@ -24,7 +24,7 @@
@stop

@section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
    new Vue({
        el: "#app",
    });
--- a/resources/views/settings/branding.blade.php
+++ b/resources/views/settings/branding.blade.php
@ -146,7 +146,7 @@

@section('moar_scripts')
    <!-- bootstrap color picker -->
-    <script>
+    <script nonce="{{ csrf_token() }}">
        //color picker with addon
        $(".header-color").colorpicker();
        // toggle the disabled state of asset id prefix
--- a/resources/views/settings/general.blade.php
+++ b/resources/views/settings/general.blade.php
@ -199,7 +199,7 @@

@section('moar_scripts')
    <!-- bootstrap color picker -->
-    <script>
+    <script nonce="{{ csrf_token() }}">
        //color picker with addon
        $(".header-color").colorpicker();
        // toggle the disabled state of asset id prefix
--- a/resources/views/settings/ldap.blade.php
+++ b/resources/views/settings/ldap.blade.php
@ -372,7 +372,7 @@
@stop

@section('moar_scripts')
-    <script>
+    <script nonce="{{ csrf_token() }}">
        $("#ldaptest").click(function(){
            $("#ldaptestrow").removeClass('success');
            $("#ldaptestrow").removeClass('danger');
--- a/resources/views/statuslabels/edit.blade.php
+++ b/resources/views/statuslabels/edit.blade.php
@ -57,7 +57,7 @@

@section('moar_scripts')
    <!-- bootstrap color picker -->
-    <script>
+    <script nonce="{{ csrf_token() }}">
        //color picker with addon
        $(".color").colorpicker();
    </script>
--- a/resources/views/statuslabels/index.blade.php
+++ b/resources/views/statuslabels/index.blade.php
@ -54,7 +54,7 @@
@section('moar_scripts')
@include ('partials.bootstrap-table', ['exportFile' => 'statuslabels-export', 'search' => true])

-  <script>
+  <script nonce="{{ csrf_token() }}">
      function colorSqFormatter(value, row) {
          if (value) {
              return '<span class="label" style="background-color: ' + value + ';">&nbsp;</span> ' + value;
--- a/resources/views/users/edit.blade.php
+++ b/resources/views/users/edit.blade.php
@ -553,7 +553,7 @@
@stop

@section('moar_scripts')
-<script>
+<script nonce="{{ csrf_token() }}">
 $(document).ready(function() {

 	$('#email').on('keyup',function(){
@ -570,7 +570,7 @@ $(document).ready(function() {
 });
 </script>

-<script>
+<script nonce="{{ csrf_token() }}">
 $('tr.header-row input:radio').click(function() {
  value = $(this).attr('value');
  $(this).parent().parent().siblings().each(function() {
@ -585,7 +585,7 @@ $('.header-name').click(function() {

 <script src="{{ asset('js/pGenerator.jquery.js') }}"></script>

-<script>
+<script nonce="{{ csrf_token() }}">


 $(document).ready(function(){
--- a/resources/views/users/index.blade.php
+++ b/resources/views/users/index.blade.php
@ -86,7 +86,7 @@
    'columns' => \App\Presenters\UserPresenter::dataTableLayout()
 ])

-<script>
+<script nonce="{{ csrf_token() }}">

    function groupsFormatter(value) {

--- a/resources/views/users/view.blade.php
+++ b/resources/views/users/view.blade.php
@ -491,7 +491,7 @@

@section('moar_scripts')
  @include ('partials.bootstrap-table', ['simple_view' => true])
-<script>
+<script nonce="{{ csrf_token() }}">
 $(function () {
    //binds to onchange event of your input field
    var uploadedFileSize = 0;