Harden Headers (#2721)

* Basic security headers * Remove XSS Header (not relevent) * Fix config name * Use Arr::get() * Add tests * Re-fix the StoreConfig step for fresh installs Co-authored-by: luceos <luceos@users.noreply.github.com> Co-authored-by: Alexander Skvortsov <askvortsov1@users.noreply.github.com>
2024-11-22 12:48:28 +08:00 · 2021-05-03 12:42:06 -04:00 · 2021-05-03 12:42:06 -04:00 · 7eea2476ca
commit 7eea2476ca
parent 9711af42ae
7 changed files with 135 additions and 2 deletions
--- a/src/Admin/AdminServiceProvider.php
+++ b/src/Admin/AdminServiceProvider.php
@ -59,7 +59,9 @@ class AdminServiceProvider extends AbstractServiceProvider
                HttpMiddleware\SetLocale::class,
                'flarum.admin.route_resolver',
                HttpMiddleware\CheckCsrfToken::class,
-                Middleware\RequireAdministrateAbility::class
+                Middleware\RequireAdministrateAbility::class,
                HttpMiddleware\ReferrerPolicyHeader::class,
                HttpMiddleware\ContentTypeOptionsHeader::class
            ];
        });
--- a/src/Forum/ForumServiceProvider.php
+++ b/src/Forum/ForumServiceProvider.php
@ -73,6 +73,8 @@ class ForumServiceProvider extends AbstractServiceProvider
                HttpMiddleware\CheckCsrfToken::class,
                HttpMiddleware\ShareErrorsFromSession::class,
                HttpMiddleware\FlarumPromotionHeader::class,
                HttpMiddleware\ReferrerPolicyHeader::class,
                HttpMiddleware\ContentTypeOptionsHeader::class
            ];
        });
--- a/src/Http/Middleware/ContentTypeOptionsHeader.php
+++ b/src/Http/Middleware/ContentTypeOptionsHeader.php
@ -0,0 +1,25 @@
 <?php
 /*
 * This file is part of Flarum.
 *
 * For detailed copyright and license information, please view the
 * LICENSE file that was distributed with this source code.
 */
 namespace Flarum\Http\Middleware;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface as Middleware;
 use Psr\Http\Server\RequestHandlerInterface;
 class ContentTypeOptionsHeader implements Middleware
 {
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $response = $handler->handle($request);
        return $response->withAddedHeader('X-Content-Type-Options', 'nosniff');
    }
 }
--- a/src/Http/Middleware/ReferrerPolicyHeader.php
+++ b/src/Http/Middleware/ReferrerPolicyHeader.php
@ -0,0 +1,34 @@
 <?php
 /*
 * This file is part of Flarum.
 *
 * For detailed copyright and license information, please view the
 * LICENSE file that was distributed with this source code.
 */
 namespace Flarum\Http\Middleware;
 use Flarum\Foundation\Config;
 use Illuminate\Support\Arr;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface as Middleware;
 use Psr\Http\Server\RequestHandlerInterface;
 class ReferrerPolicyHeader implements Middleware
 {
    protected $policy = '';
    public function __construct(Config $config)
    {
        $this->policy = Arr::get($config, 'headers.referrerPolicy') ?? 'same-origin';
    }
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $response = $handler->handle($request);
        return $response->withAddedHeader('Referrer-Policy', $this->policy);
    }
 }
--- a/src/Install/Steps/StoreConfig.php
+++ b/src/Install/Steps/StoreConfig.php
@ -55,10 +55,13 @@ class StoreConfig implements Step, ReversibleStep
    {
        return [
            'debug'    => $this->debugMode,
            'poweredByHeader'  => true,
            'database' => $this->dbConfig->toArray(),
            'url'      => (string) $this->baseUrl,
            'paths'    => $this->getPathsConfig(),
            'headers'  => [
                'poweredByHeader'  => true,
                'referrerPolicy' => 'same-origin',
            ]
        ];
    }
--- a/tests/integration/middleware/ContentTypeOptionsTest.php
+++ b/tests/integration/middleware/ContentTypeOptionsTest.php
@ -0,0 +1,28 @@
 <?php
 /*
 * This file is part of Flarum.
 *
 * For detailed copyright and license information, please view the
 * LICENSE file that was distributed with this source code.
 */
 namespace Flarum\Tests\integration\middleware;
 use Flarum\Testing\integration\TestCase;
 class ContentTypeOptionsTest extends TestCase
 {
    /**
     * @test
     */
    public function has_content_type_options_header()
    {
        $response = $this->send(
            $this->request('GET', '/')
        );
        $this->assertEquals(200, $response->getStatusCode());
        $this->assertArrayHasKey('X-Content-Type-Options', $response->getHeaders());
        $this->assertEquals('nosniff', $response->getHeader('X-Content-Type-Options')[0]);
    }
 }
--- a/tests/integration/middleware/ReferrerPolicyTest.php
+++ b/tests/integration/middleware/ReferrerPolicyTest.php
@ -0,0 +1,39 @@
 <?php
 /*
 * This file is part of Flarum.
 *
 * For detailed copyright and license information, please view the
 * LICENSE file that was distributed with this source code.
 */
 namespace Flarum\Tests\integration\middleware;
 use Flarum\Testing\integration\TestCase;
 class ReferrerPolicyTest extends TestCase
 {
    /**
     * @test
     */
    public function has_referer_header()
    {
        $response = $this->send(
            $this->request('GET', '/')
        );
        $this->assertEquals(200, $response->getStatusCode());
        $this->assertArrayHasKey('Referrer-Policy', $response->getHeaders());
    }
    /**
     * @test
     */
    public function has_default_referer_policy()
    {
        $response = $this->send(
            $this->request('GET', '/')
        );
        $this->assertEquals(200, $response->getStatusCode());
        $this->assertEquals('same-origin', $response->getHeader('Referrer-Policy')[0]);
    }
 }