From 3de297b7a7dc2de96a89f4fc26dcddb7b362e0d8 Mon Sep 17 00:00:00 2001 From: devansh bawari Date: Wed, 4 Aug 2021 16:52:36 +0530 Subject: [PATCH] Header Policies Added --- app/Http/Kernel.php | 9 +-- .../src/Http/Middleware/SecureHeaders.php | 62 +++++++++++++++++++ 2 files changed, 67 insertions(+), 4 deletions(-) create mode 100644 packages/Webkul/Core/src/Http/Middleware/SecureHeaders.php diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 3fc667cf3..ba47404a1 100755 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -14,10 +14,11 @@ class Kernel extends HttpKernel * @var array */ protected $middleware = [ - \Webkul\Core\Http\Middleware\CheckForMaintenanceMode::class, - \App\Http\Middleware\EncryptCookies::class, - \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, - \Illuminate\Session\Middleware\StartSession::class, + \Webkul\Core\Http\Middleware\CheckForMaintenanceMode::class, + \App\Http\Middleware\EncryptCookies::class, + \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, + \Illuminate\Session\Middleware\StartSession::class, + \Webkul\Core\Http\Middleware\SecureHeaders::class, ]; /** diff --git a/packages/Webkul/Core/src/Http/Middleware/SecureHeaders.php b/packages/Webkul/Core/src/Http/Middleware/SecureHeaders.php new file mode 100644 index 000000000..64c2085cf --- /dev/null +++ b/packages/Webkul/Core/src/Http/Middleware/SecureHeaders.php @@ -0,0 +1,62 @@ +removeUnwantedHeaders(); + + $response = $next($request); + + $this->setHeaders($response); + + return $response; + } + + /** + * Set headers. + * + * @return void + */ + private function setHeaders($response) + { + $response->headers->set('Referrer-Policy', 'no-referrer-when-downgrade'); + $response->headers->set('X-Content-Type-Options', 'nosniff'); + $response->headers->set('X-XSS-Protection', '1; mode=block'); + $response->headers->set('X-Frame-Options', 'DENY'); + $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains'); + } + + /** + * Remove unwanted headers. + * + * @return void + */ + private function removeUnwantedHeaders() + { + foreach ($this->unwantedHeaderList as $header) { + header_remove($header); + } + } +}