diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 3fc667cf3..ba47404a1 100755 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -14,10 +14,11 @@ class Kernel extends HttpKernel * @var array */ protected $middleware = [ - \Webkul\Core\Http\Middleware\CheckForMaintenanceMode::class, - \App\Http\Middleware\EncryptCookies::class, - \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, - \Illuminate\Session\Middleware\StartSession::class, + \Webkul\Core\Http\Middleware\CheckForMaintenanceMode::class, + \App\Http\Middleware\EncryptCookies::class, + \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, + \Illuminate\Session\Middleware\StartSession::class, + \Webkul\Core\Http\Middleware\SecureHeaders::class, ]; /** diff --git a/packages/Webkul/Core/src/Http/Middleware/SecureHeaders.php b/packages/Webkul/Core/src/Http/Middleware/SecureHeaders.php new file mode 100644 index 000000000..64c2085cf --- /dev/null +++ b/packages/Webkul/Core/src/Http/Middleware/SecureHeaders.php @@ -0,0 +1,62 @@ +removeUnwantedHeaders(); + + $response = $next($request); + + $this->setHeaders($response); + + return $response; + } + + /** + * Set headers. + * + * @return void + */ + private function setHeaders($response) + { + $response->headers->set('Referrer-Policy', 'no-referrer-when-downgrade'); + $response->headers->set('X-Content-Type-Options', 'nosniff'); + $response->headers->set('X-XSS-Protection', '1; mode=block'); + $response->headers->set('X-Frame-Options', 'DENY'); + $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); + } + + /** + * Remove unwanted headers. + * + * @return void + */ + private function removeUnwantedHeaders() + { + foreach ($this->unwantedHeaderList as $header) { + header_remove($header); + } + } +}