Merge branch 'develop'

2024-11-11 08:04:09 -08:00 · 2017-09-28 17:17:03 -07:00 · 2017-09-28 17:17:03 -07:00 · df4700b411
parent 8e682c715e 26a7701cda
commit df4700b411
5 changed files with 40 additions and 1 deletions
--- a/.env.example
+++ b/.env.example
@ -63,6 +63,7 @@ ENCRYPT=false
 COOKIE_NAME=snipeit_session
 COOKIE_DOMAIN=null
 SECURE_COOKIES=false
+REFERRER_POLICY=strict-origin


 # --------------------------------------------
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -19,6 +19,7 @@ class Kernel extends HttpKernel
        \Illuminate\View\Middleware\ShareErrorsFromSession::class,
        \App\Http\Middleware\FrameGuard::class,
        \App\Http\Middleware\XssProtectHeader::class,
+        \App\Http\Middleware\ReferrerPolicyHeader::class,
        \App\Http\Middleware\NosniffGuard::class,
        \App\Http\Middleware\CheckForSetup::class,
        \Fideloper\Proxy\TrustProxies::class,
--- a/app/Http/Middleware/ReferrerPolicyHeader.php
+++ b/app/Http/Middleware/ReferrerPolicyHeader.php
@ -0,0 +1,21 @@
+<?php
+namespace App\Http\Middleware;
+
+use Closure;
+
+class ReferrerPolicyHeader
+{
+    /**
+     * Handle the given request and get the response.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return \Illuminate\Http\Response
+     */
+    public function handle($request, Closure $next)
+    {
+        $response = $next($request);
+        $response->headers->set('Referrer-Policy', config('app.referrer_policy'));
+        return $response;
+    }
+}
--- a/app/Http/Middleware/XssProtectHeader.php
+++ b/app/Http/Middleware/XssProtectHeader.php
@ -14,8 +14,9 @@ class XssProtectHeader
     */
    public function handle($request, Closure $next)
    {
+        $mode = '1; mode=block';
        $response = $next($request);
-        $response->headers->set('X-XSS-Protection', '1');
+        $response->headers->set('X-XSS-Protection', $mode);
        return $response;
    }
 }
--- a/config/app.php
+++ b/config/app.php
@ -155,6 +155,21 @@ return [
    'allow_iframing' => env('ALLOW_IFRAMING', false),


+    /*
+    |--------------------------------------------------------------------------
+    | REFERRER-POLICY
+    |--------------------------------------------------------------------------
+    |
+    | This is an additional security header that browsers use to determine
+    | whether they should report back URL referrer information.
+    |
+    | Read more: https://www.w3.org/TR/referrer-policy/
+    |
+    */
+
+    'referrer_policy' => env('REFERRER_POLICY', 'strict-origin'),
+
+
    /*
    |--------------------------------------------------------------------------
    | Demo Mode Lockdown