Skip to content

Commit f95ce84

Browse files
steinkelsteinkel
committed
add security headers
1 parent ad9de23 commit f95ce84

File tree

3 files changed

+173
-6
lines changed

3 files changed

+173
-6
lines changed

composer.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,8 @@
2020
"league/flysystem": "^2.2",
2121
"linkorb/jsmin-php": "^1.0",
2222
"natxet/cssmin": "^3.0",
23-
"cakedc/cakephp-cached-routing": "^1.0"
23+
"cakedc/cakephp-cached-routing": "^1.0",
24+
"paragonie/csp-builder": "^2.9"
2425
},
2526
"require-dev": {
2627
"psy/psysh": "@stable",

composer.lock

+128-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/Application.php

+43-3
Original file line numberDiff line numberDiff line change
@@ -14,16 +14,23 @@
1414
* @since 3.3.0
1515
* @license https://opensource.org/licenses/mit-license.php MIT License
1616
*/
17+
1718
namespace App;
1819

19-
use CakeDC\CachedRouting\Routing\Middleware\CachedRoutingMiddleware;
2020
use Cake\Core\Configure;
2121
use Cake\Core\ContainerInterface;
2222
use Cake\Error\Middleware\ErrorHandlerMiddleware;
2323
use Cake\Http\BaseApplication;
24-
use Cake\Http\MiddlewareQueue;
2524
use Cake\Http\Middleware\BodyParserMiddleware;
25+
use Cake\Http\Middleware\CspMiddleware;
26+
use Cake\Http\Middleware\HttpsEnforcerMiddleware;
27+
use Cake\Http\Middleware\SecurityHeadersMiddleware;
28+
use Cake\Http\MiddlewareQueue;
2629
use Cake\Routing\Middleware\AssetMiddleware;
30+
use CakeDC\CachedRouting\Routing\Middleware\CachedRoutingMiddleware;
31+
use Psr\Http\Message\ResponseInterface;
32+
use Psr\Http\Message\ServerRequestInterface;
33+
use Psr\Http\Server\RequestHandlerInterface;
2734

2835
/**
2936
* Application setup class.
@@ -77,7 +84,40 @@ public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
7784
// Catch any exceptions in the lower layers,
7885
// and make an error page/response
7986
->add(new ErrorHandlerMiddleware(Configure::read('Error')))
80-
87+
->add(new CspMiddleware([
88+
'script-src' => [
89+
'allow' => [
90+
'https://www.googletagmanager.com/',
91+
'https://www.google.com/',
92+
'https://www.gstatic.com/',
93+
'https://connect.facebook.net/',
94+
'https://platform.twitter.com/',
95+
],
96+
'self' => true,
97+
'unsafe-inline' => true,
98+
'unsafe-eval' => true,
99+
],
100+
"upgrade-insecure-requests" => true,
101+
]))
102+
->add((new SecurityHeadersMiddleware())
103+
->setReferrerPolicy()
104+
->setXFrameOptions()
105+
->noOpen()
106+
->noSniff())
107+
->add(function(
108+
ServerRequestInterface $request,
109+
RequestHandlerInterface $handler
110+
): ResponseInterface {
111+
return $handler->handle($request)
112+
->withHeader('Permissions-Policy', 'camera=(), geolocation=(), microphone=(), usb=()');
113+
})
114+
->add(new HttpsEnforcerMiddleware([
115+
'hsts' => [
116+
'maxAge' => 600,
117+
'includeSubDomains' => true,
118+
'preload' => false,
119+
],
120+
]))
81121
// Handle plugin/theme assets like CakePHP normally does.
82122
->add(new AssetMiddleware([
83123
'cacheTime' => Configure::read('Asset.cacheTime'),

0 commit comments

Comments
 (0)