From a34085f1d93e45dbdf29e507003b3517b9d4f240 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 28 Sep 2017 16:28:27 -0700
Subject: [PATCH 1/2] Added mode=block to XSSProtect header

---
 app/Http/Middleware/XssProtectHeader.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/Http/Middleware/XssProtectHeader.php b/app/Http/Middleware/XssProtectHeader.php
index dd99d2ed4d..45b9806802 100644
--- a/app/Http/Middleware/XssProtectHeader.php
+++ b/app/Http/Middleware/XssProtectHeader.php
@@ -14,8 +14,9 @@ class XssProtectHeader
      */
     public function handle($request, Closure $next)
     {
+        $mode = '1; mode=block';
         $response = $next($request);
-        $response->headers->set('X-XSS-Protection', '1');
+        $response->headers->set('X-XSS-Protection', $mode);
         return $response;
     }
 }

From 26a7701cdad349ab63d05d41ecb8474afa7ff67d Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Thu, 28 Sep 2017 17:12:58 -0700
Subject: [PATCH 2/2] Added referrer-policy header

---
 .env.example                                 |  1 +
 app/Http/Kernel.php                          |  1 +
 app/Http/Middleware/ReferrerPolicyHeader.php | 21 ++++++++++++++++++++
 config/app.php                               | 15 ++++++++++++++
 4 files changed, 38 insertions(+)
 create mode 100644 app/Http/Middleware/ReferrerPolicyHeader.php

diff --git a/.env.example b/.env.example
index 9bc90e5ed2..35f2277b37 100644
--- a/.env.example
+++ b/.env.example
@@ -63,6 +63,7 @@ ENCRYPT=false
 COOKIE_NAME=snipeit_session
 COOKIE_DOMAIN=null
 SECURE_COOKIES=false
+REFERRER_POLICY=strict-origin
 
 
 # --------------------------------------------
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 44d6d521ba..f46813734b 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -19,6 +19,7 @@ class Kernel extends HttpKernel
         \Illuminate\View\Middleware\ShareErrorsFromSession::class,
         \App\Http\Middleware\FrameGuard::class,
         \App\Http\Middleware\XssProtectHeader::class,
+        \App\Http\Middleware\ReferrerPolicyHeader::class,
         \App\Http\Middleware\NosniffGuard::class,
         \App\Http\Middleware\CheckForSetup::class,
         \Fideloper\Proxy\TrustProxies::class,
diff --git a/app/Http/Middleware/ReferrerPolicyHeader.php b/app/Http/Middleware/ReferrerPolicyHeader.php
new file mode 100644
index 0000000000..430ce45af3
--- /dev/null
+++ b/app/Http/Middleware/ReferrerPolicyHeader.php
@@ -0,0 +1,21 @@
+<?php
+namespace App\Http\Middleware;
+
+use Closure;
+
+class ReferrerPolicyHeader
+{
+    /**
+     * Handle the given request and get the response.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return \Illuminate\Http\Response
+     */
+    public function handle($request, Closure $next)
+    {
+        $response = $next($request);
+        $response->headers->set('Referrer-Policy', config('app.referrer_policy'));
+        return $response;
+    }
+}
diff --git a/config/app.php b/config/app.php
index 5fbfc80739..451fd17de1 100755
--- a/config/app.php
+++ b/config/app.php
@@ -155,6 +155,21 @@ return [
     'allow_iframing' => env('ALLOW_IFRAMING', false),
 
 
+    /*
+    |--------------------------------------------------------------------------
+    | REFERRER-POLICY
+    |--------------------------------------------------------------------------
+    |
+    | This is an additional security header that browsers use to determine
+    | whether they should report back URL referrer information.
+    |
+    | Read more: https://www.w3.org/TR/referrer-policy/
+    |
+    */
+
+    'referrer_policy' => env('REFERRER_POLICY', 'strict-origin'),
+
+
     /*
     |--------------------------------------------------------------------------
     | Demo Mode Lockdown