mirror of
https://github.com/flarum/framework.git
synced 2024-11-22 12:31:41 +08:00
Harden Headers (#2721)
* Basic security headers * Remove XSS Header (not relevent) * Fix config name * Use Arr::get() * Add tests * Re-fix the StoreConfig step for fresh installs Co-authored-by: luceos <luceos@users.noreply.github.com> Co-authored-by: Alexander Skvortsov <askvortsov1@users.noreply.github.com>
This commit is contained in:
parent
9711af42ae
commit
7eea2476ca
|
@ -59,7 +59,9 @@ class AdminServiceProvider extends AbstractServiceProvider
|
|||
HttpMiddleware\SetLocale::class,
|
||||
'flarum.admin.route_resolver',
|
||||
HttpMiddleware\CheckCsrfToken::class,
|
||||
Middleware\RequireAdministrateAbility::class
|
||||
Middleware\RequireAdministrateAbility::class,
|
||||
HttpMiddleware\ReferrerPolicyHeader::class,
|
||||
HttpMiddleware\ContentTypeOptionsHeader::class
|
||||
];
|
||||
});
|
||||
|
||||
|
|
|
@ -73,6 +73,8 @@ class ForumServiceProvider extends AbstractServiceProvider
|
|||
HttpMiddleware\CheckCsrfToken::class,
|
||||
HttpMiddleware\ShareErrorsFromSession::class,
|
||||
HttpMiddleware\FlarumPromotionHeader::class,
|
||||
HttpMiddleware\ReferrerPolicyHeader::class,
|
||||
HttpMiddleware\ContentTypeOptionsHeader::class
|
||||
];
|
||||
});
|
||||
|
||||
|
|
25
src/Http/Middleware/ContentTypeOptionsHeader.php
Normal file
25
src/Http/Middleware/ContentTypeOptionsHeader.php
Normal file
|
@ -0,0 +1,25 @@
|
|||
<?php
|
||||
|
||||
/*
|
||||
* This file is part of Flarum.
|
||||
*
|
||||
* For detailed copyright and license information, please view the
|
||||
* LICENSE file that was distributed with this source code.
|
||||
*/
|
||||
|
||||
namespace Flarum\Http\Middleware;
|
||||
|
||||
use Psr\Http\Message\ResponseInterface;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
use Psr\Http\Server\MiddlewareInterface as Middleware;
|
||||
use Psr\Http\Server\RequestHandlerInterface;
|
||||
|
||||
class ContentTypeOptionsHeader implements Middleware
|
||||
{
|
||||
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
|
||||
{
|
||||
$response = $handler->handle($request);
|
||||
|
||||
return $response->withAddedHeader('X-Content-Type-Options', 'nosniff');
|
||||
}
|
||||
}
|
34
src/Http/Middleware/ReferrerPolicyHeader.php
Normal file
34
src/Http/Middleware/ReferrerPolicyHeader.php
Normal file
|
@ -0,0 +1,34 @@
|
|||
<?php
|
||||
|
||||
/*
|
||||
* This file is part of Flarum.
|
||||
*
|
||||
* For detailed copyright and license information, please view the
|
||||
* LICENSE file that was distributed with this source code.
|
||||
*/
|
||||
|
||||
namespace Flarum\Http\Middleware;
|
||||
|
||||
use Flarum\Foundation\Config;
|
||||
use Illuminate\Support\Arr;
|
||||
use Psr\Http\Message\ResponseInterface;
|
||||
use Psr\Http\Message\ServerRequestInterface;
|
||||
use Psr\Http\Server\MiddlewareInterface as Middleware;
|
||||
use Psr\Http\Server\RequestHandlerInterface;
|
||||
|
||||
class ReferrerPolicyHeader implements Middleware
|
||||
{
|
||||
protected $policy = '';
|
||||
|
||||
public function __construct(Config $config)
|
||||
{
|
||||
$this->policy = Arr::get($config, 'headers.referrerPolicy') ?? 'same-origin';
|
||||
}
|
||||
|
||||
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
|
||||
{
|
||||
$response = $handler->handle($request);
|
||||
|
||||
return $response->withAddedHeader('Referrer-Policy', $this->policy);
|
||||
}
|
||||
}
|
|
@ -55,10 +55,13 @@ class StoreConfig implements Step, ReversibleStep
|
|||
{
|
||||
return [
|
||||
'debug' => $this->debugMode,
|
||||
'poweredByHeader' => true,
|
||||
'database' => $this->dbConfig->toArray(),
|
||||
'url' => (string) $this->baseUrl,
|
||||
'paths' => $this->getPathsConfig(),
|
||||
'headers' => [
|
||||
'poweredByHeader' => true,
|
||||
'referrerPolicy' => 'same-origin',
|
||||
]
|
||||
];
|
||||
}
|
||||
|
||||
|
|
28
tests/integration/middleware/ContentTypeOptionsTest.php
Normal file
28
tests/integration/middleware/ContentTypeOptionsTest.php
Normal file
|
@ -0,0 +1,28 @@
|
|||
<?php
|
||||
|
||||
/*
|
||||
* This file is part of Flarum.
|
||||
*
|
||||
* For detailed copyright and license information, please view the
|
||||
* LICENSE file that was distributed with this source code.
|
||||
*/
|
||||
|
||||
namespace Flarum\Tests\integration\middleware;
|
||||
|
||||
use Flarum\Testing\integration\TestCase;
|
||||
|
||||
class ContentTypeOptionsTest extends TestCase
|
||||
{
|
||||
/**
|
||||
* @test
|
||||
*/
|
||||
public function has_content_type_options_header()
|
||||
{
|
||||
$response = $this->send(
|
||||
$this->request('GET', '/')
|
||||
);
|
||||
$this->assertEquals(200, $response->getStatusCode());
|
||||
$this->assertArrayHasKey('X-Content-Type-Options', $response->getHeaders());
|
||||
$this->assertEquals('nosniff', $response->getHeader('X-Content-Type-Options')[0]);
|
||||
}
|
||||
}
|
39
tests/integration/middleware/ReferrerPolicyTest.php
Normal file
39
tests/integration/middleware/ReferrerPolicyTest.php
Normal file
|
@ -0,0 +1,39 @@
|
|||
<?php
|
||||
|
||||
/*
|
||||
* This file is part of Flarum.
|
||||
*
|
||||
* For detailed copyright and license information, please view the
|
||||
* LICENSE file that was distributed with this source code.
|
||||
*/
|
||||
|
||||
namespace Flarum\Tests\integration\middleware;
|
||||
|
||||
use Flarum\Testing\integration\TestCase;
|
||||
|
||||
class ReferrerPolicyTest extends TestCase
|
||||
{
|
||||
/**
|
||||
* @test
|
||||
*/
|
||||
public function has_referer_header()
|
||||
{
|
||||
$response = $this->send(
|
||||
$this->request('GET', '/')
|
||||
);
|
||||
$this->assertEquals(200, $response->getStatusCode());
|
||||
$this->assertArrayHasKey('Referrer-Policy', $response->getHeaders());
|
||||
}
|
||||
|
||||
/**
|
||||
* @test
|
||||
*/
|
||||
public function has_default_referer_policy()
|
||||
{
|
||||
$response = $this->send(
|
||||
$this->request('GET', '/')
|
||||
);
|
||||
$this->assertEquals(200, $response->getStatusCode());
|
||||
$this->assertEquals('same-origin', $response->getHeader('Referrer-Policy')[0]);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user