diff --git a/.env.example b/.env.example index b3b0b0e4e..4ec2ee6aa 100644 --- a/.env.example +++ b/.env.example @@ -71,6 +71,7 @@ ALLOW_IFRAMING=false REFERRER_POLICY=same-origin ENABLE_CSP=false CORS_ALLOWED_ORIGINS=null +ENABLE_HSTS=false # -------------------------------------------- # OPTIONAL: CACHE SETTINGS diff --git a/app/Http/Middleware/SecurityHeaders.php b/app/Http/Middleware/SecurityHeaders.php index 7a75bfdc9..2c35ad80e 100644 --- a/app/Http/Middleware/SecurityHeaders.php +++ b/app/Http/Middleware/SecurityHeaders.php @@ -24,24 +24,39 @@ class SecurityHeaders { $this->removeUnwantedHeaders($this->unwantedHeaderList); $response = $next($request); + $response->headers->set('Referrer-Policy', config('app.referrer_policy')); $response->headers->set('X-Content-Type-Options', 'nosniff'); $response->headers->set('X-XSS-Protection', '1; mode=block'); - $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); + $response->headers->set('Feature-Policy', 'self'); if (config('app.allow_iframing') == false) { $response->headers->set('X-Frame-Options', 'DENY'); } - $policy[] = "default-src 'self'"; - $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com"; - $policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com"; - $policy[] = "connect-src 'self'"; - $policy[] = "object-src 'none'"; - $policy[] = "font-src 'self' data:"; - $policy[] = "img-src 'self' data: gravatar.com"; - $policy = join(';', $policy); - $response->headers->set('Content-Security-Policy', $policy); + + // This defaults to false to maintain backwards compatibility + // people who are not running Snipe-IT over TLS (shame, shame, shame!) + // Seriously though, please run Snipe-IT over TLS. Let's Encrypt is free. + // https://letsencrypt.org + + if (config('app.enable_hsts') === true) { + $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); + } + + // We have to exclude debug mode here because debugbar pulls from a CDN or two + // and it will break things. + if ((config('app.debug')!='true') || (config('app.enable_csp')=='true')) { + $policy[] = "default-src 'self'"; + $policy[] = "style-src 'self' 'unsafe-inline'"; + $policy[] = "script-src 'self' 'unsafe-inline'"; + $policy[] = "connect-src 'self'"; + $policy[] = "object-src 'none'"; + $policy[] = "font-src 'self' data:"; + $policy[] = "img-src 'self' data: gravatar.com"; + $policy = join(';', $policy); + $response->headers->set('Content-Security-Policy', $policy); + } return $response; } diff --git a/config/app.php b/config/app.php index 07d2ac6ef..42044284a 100755 --- a/config/app.php +++ b/config/app.php @@ -197,19 +197,33 @@ return [ /* - |-------------------------------------------------------------------------- - | ALLOW I-FRAMING - |-------------------------------------------------------------------------- - | - | Normal users will never need to edit this. This option lets you run - | Snipe-IT within an I-Frame, which is normally disabled by default for - | security reasons, to prevent clickjacking. It should normally be set to false. - | - */ + |-------------------------------------------------------------------------- + | ALLOW I-FRAMING + |-------------------------------------------------------------------------- + | + | Normal users will never need to edit this. This option lets you run + | Snipe-IT within an I-Frame, which is normally disabled by default for + | security reasons, to prevent clickjacking. It should normally be set to false. + | + */ 'allow_iframing' => env('ALLOW_IFRAMING', false), + /* + |-------------------------------------------------------------------------- + | ENABLE HTTP Strict Transport Security (HSTS) + |-------------------------------------------------------------------------- + | + | This is set to default false for backwards compatibilty but should be + | set to true if the hosting environment allows it. + | + | See https://scotthelme.co.uk/hsts-the-missing-link-in-tls/ + | + */ + + 'enable_hsts' => env('ENABLE_HSTS', false), + /* |-------------------------------------------------------------------------- | REFERRER-POLICY