mirror of
https://github.com/typemill/typemill.git
synced 2025-08-05 13:47:37 +02:00
Custom header middleware to improve security
This commit is contained in:
trendschau
46
system/typemill/Middleware/CustomHeadersMiddleware.php
Normal file
46
system/typemill/Middleware/CustomHeadersMiddleware.php
Normal file
@@ -0,0 +1,46 @@
|
||||
<?php
|
||||
|
||||
namespace Typemill\Middleware;
|
||||
|
||||
use Psr\Http\Server\MiddlewareInterface;
|
||||
use Psr\Http\Message\ServerRequestInterface as Request;
|
||||
use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
|
||||
use Slim\Psr7\Response;
|
||||
|
||||
class CustomHeadersMiddleware implements MiddlewareInterface
|
||||
{
|
||||
protected $settings;
|
||||
|
||||
public function __construct($settings)
|
||||
{
|
||||
$this->settings = $settings;
|
||||
}
|
||||
|
||||
public function process(Request $request, RequestHandler $handler) :response
|
||||
{
|
||||
$scheme = $request->getUri()->getScheme();
|
||||
|
||||
$response = $handler->handle($request);
|
||||
|
||||
$response = $response->withoutHeader('Server');
|
||||
$response = $response->withHeader('X-Powered-By', 'Typemill');
|
||||
|
||||
$headersOff = $this->settings['headersoff'] ?? false;
|
||||
|
||||
if(!$headersOff)
|
||||
{
|
||||
$response = $response
|
||||
->withHeader('X-Content-Type-Options', 'nosniff')
|
||||
->withHeader('X-Frame-Options', 'SAMEORIGIN')
|
||||
->withHeader('X-XSS-Protection', '1;mode=block')
|
||||
->withHeader('Referrer-Policy', 'no-referrer-when-downgrade');
|
||||
|
||||
if($scheme == 'https')
|
||||
{
|
||||
$response = $response->withHeader('Strict-Transport-Security', 'max-age=63072000');
|
||||
}
|
||||
}
|
||||
|
||||
return $response;
|
||||
}
|
||||
}
|
||||
@@ -236,4 +236,8 @@ fieldsetdeveloper:
|
||||
checkboxlabel: Use x-forwarded-header.
|
||||
trustedproxies:
|
||||
type: text
|
||||
label: Trusted IPs for proxies (comma separated)
|
||||
label: Trusted IPs for proxies (comma separated)
|
||||
headersoff:
|
||||
type: checkbox
|
||||
label: Disable Custom Headers
|
||||
checkboxlabel: Disable all custom headers of Typemill and send your own headers instead.
|
||||
@@ -28,6 +28,7 @@ use Typemill\Middleware\JsonBodyParser;
|
||||
use Typemill\Middleware\FlashMessages;
|
||||
use Typemill\Middleware\AssetMiddleware;
|
||||
use Typemill\Middleware\SecurityMiddleware;
|
||||
use Typemill\Middleware\CustomHeadersMiddleware;
|
||||
use Typemill\Extensions\TwigCsrfExtension;
|
||||
use Typemill\Extensions\TwigUrlExtension;
|
||||
use Typemill\Extensions\TwigUserExtension;
|
||||
@@ -304,6 +305,8 @@ foreach($middleware as $pluginMiddleware)
|
||||
}
|
||||
}
|
||||
|
||||
$app->add(new CustomHeadersMiddleware($settings));
|
||||
|
||||
$app->add(new AssetMiddleware($assets, $container->get('view')));
|
||||
|
||||
$app->add(new ValidationErrorsMiddleware($container->get('view')));
|
||||
|
||||
Reference in New Issue
Block a user