Header Policies Added

2021-08-04 16:52:36 +05:30 · 2021-08-04 16:52:36 +05:30 · 3de297b7a7
parent 47d6e82ffd
commit 3de297b7a7
2 changed files with 67 additions and 4 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -14,10 +14,11 @@ class Kernel extends HttpKernel
     * @var array
     */
    protected $middleware = [
-            \Webkul\Core\Http\Middleware\CheckForMaintenanceMode::class,
-            \App\Http\Middleware\EncryptCookies::class,
-            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
-            \Illuminate\Session\Middleware\StartSession::class,
+        \Webkul\Core\Http\Middleware\CheckForMaintenanceMode::class,
+        \App\Http\Middleware\EncryptCookies::class,
+        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
+        \Illuminate\Session\Middleware\StartSession::class,
+        \Webkul\Core\Http\Middleware\SecureHeaders::class,
    ];

    /**
--- a/packages/Webkul/Core/src/Http/Middleware/SecureHeaders.php
+++ b/packages/Webkul/Core/src/Http/Middleware/SecureHeaders.php
@ -0,0 +1,62 @@
+<?php
+
+namespace Webkul\Core\Http\Middleware;
+
+use Closure;
+
+class SecureHeaders
+{
+    /**
+     * Unwanted header list.
+     *
+     * @var array
+     */
+    private $unwantedHeaderList = [
+        'X-Powered-By',
+        'Server',
+    ];
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $this->removeUnwantedHeaders();
+
+        $response = $next($request);
+
+        $this->setHeaders($response);
+
+        return $response;
+    }
+
+    /**
+     * Set headers.
+     *
+     * @return void
+     */
+    private function setHeaders($response)
+    {
+        $response->headers->set('Referrer-Policy', 'no-referrer-when-downgrade');
+        $response->headers->set('X-Content-Type-Options', 'nosniff');
+        $response->headers->set('X-XSS-Protection', '1; mode=block');
+        $response->headers->set('X-Frame-Options', 'DENY');
+        $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+    }
+
+    /**
+     * Remove unwanted headers.
+     *
+     * @return void
+     */
+    private function removeUnwantedHeaders()
+    {
+        foreach ($this->unwantedHeaderList as $header) {
+            header_remove($header);
+        }
+    }
+}