From 36c8f7f4f116666c63ae7bc0d12e15f77a8fd6bc Mon Sep 17 00:00:00 2001 From: snipe Date: Mon, 22 Jun 2020 22:31:01 -0700 Subject: [PATCH] Additional security headers --- app/Http/Kernel.php | 7 +-- app/Http/Middleware/FrameGuard.php | 24 ---------- app/Http/Middleware/NosniffGuard.php | 21 --------- app/Http/Middleware/SecurityHeaders.php | 56 ++++++++++++++++++++++++ app/Http/Middleware/XssProtectHeader.php | 22 ---------- 5 files changed, 58 insertions(+), 72 deletions(-) delete mode 100644 app/Http/Middleware/FrameGuard.php delete mode 100644 app/Http/Middleware/NosniffGuard.php create mode 100644 app/Http/Middleware/SecurityHeaders.php delete mode 100644 app/Http/Middleware/XssProtectHeader.php diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index da3c5092b..004549679 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -17,15 +17,12 @@ class Kernel extends HttpKernel \Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class, \Illuminate\Session\Middleware\StartSession::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class, - \App\Http\Middleware\FrameGuard::class, - \App\Http\Middleware\XssProtectHeader::class, - \App\Http\Middleware\ReferrerPolicyHeader::class, - \App\Http\Middleware\ContentSecurityPolicyHeader::class, - \App\Http\Middleware\NosniffGuard::class, \Fideloper\Proxy\TrustProxies::class, \App\Http\Middleware\CheckForSetup::class, \App\Http\Middleware\CheckForDebug::class, \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class, + \App\Http\Middleware\SecurityHeaders::class, + ]; /** diff --git a/app/Http/Middleware/FrameGuard.php b/app/Http/Middleware/FrameGuard.php deleted file mode 100644 index beb19f20f..000000000 --- a/app/Http/Middleware/FrameGuard.php +++ /dev/null @@ -1,24 +0,0 @@ -headers->set('X-Frame-Options', 'SAMEORIGIN', false); - } - return $response; - - } -} diff --git a/app/Http/Middleware/NosniffGuard.php b/app/Http/Middleware/NosniffGuard.php deleted file mode 100644 index 295f5e75a..000000000 --- a/app/Http/Middleware/NosniffGuard.php +++ /dev/null @@ -1,21 +0,0 @@ -headers->set('X-Content-Type-Options', 'nosniff', false); - return $response; - } -} diff --git a/app/Http/Middleware/SecurityHeaders.php b/app/Http/Middleware/SecurityHeaders.php new file mode 100644 index 000000000..8e0b5b945 --- /dev/null +++ b/app/Http/Middleware/SecurityHeaders.php @@ -0,0 +1,56 @@ +removeUnwantedHeaders($this->unwantedHeaderList); + $response = $next($request); + $response->headers->set('Referrer-Policy', 'no-referrer-when-downgrade'); + $response->headers->set('X-Content-Type-Options', 'nosniff'); + $response->headers->set('X-XSS-Protection', '1; mode=block'); + $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); + + if (config('app.allow_iframing') == false) { + $response->headers->set('X-Frame-Options', 'DENY'); + } + + $policy[] = "default-src 'self'"; + $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com"; + $policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com"; + $policy[] = "connect-src 'self'"; + $policy[] = "object-src 'none'"; + $policy[] = "font-src 'self' data:"; + $policy[] = "img-src 'self' data: gravatar.com"; + $policy = join(';', $policy); + $response->headers->set('Content-Security-Policy', $policy); + + return $response; + } + + private function removeUnwantedHeaders($headerList) + { + foreach ($headerList as $header) + header_remove($header); + } +} diff --git a/app/Http/Middleware/XssProtectHeader.php b/app/Http/Middleware/XssProtectHeader.php deleted file mode 100644 index 868d100f3..000000000 --- a/app/Http/Middleware/XssProtectHeader.php +++ /dev/null @@ -1,22 +0,0 @@ -headers->set('X-XSS-Protection', $mode); - return $response; - } -}