From 8a19620201c862d3d8f30e26d4d7f74293428190 Mon Sep 17 00:00:00 2001
From: trendschau <trendschau@gmail.com>
Date: Wed, 27 Dec 2023 21:54:28 +0100
Subject: [PATCH] Custom header middleware to improve security

---
 .../Middleware/CustomHeadersMiddleware.php    | 46 +++++++++++++++++++
 system/typemill/settings/system.yaml          |  6 ++-
 system/typemill/system.php                    |  3 ++
 3 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 system/typemill/Middleware/CustomHeadersMiddleware.php

diff --git a/system/typemill/Middleware/CustomHeadersMiddleware.php b/system/typemill/Middleware/CustomHeadersMiddleware.php
new file mode 100644
index 0000000..185cae6
--- /dev/null
+++ b/system/typemill/Middleware/CustomHeadersMiddleware.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace Typemill\Middleware;
+
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
+use Slim\Psr7\Response;
+
+class CustomHeadersMiddleware implements MiddlewareInterface
+{
+	protected $settings;
+	
+	public function __construct($settings)
+	{
+		$this->settings = $settings;
+	}
+	
+	public function process(Request $request, RequestHandler $handler) :response
+	{
+		$scheme = $request->getUri()->getScheme();
+		
+		$response = $handler->handle($request);
+
+		$response = $response->withoutHeader('Server');
+		$response = $response->withHeader('X-Powered-By', 'Typemill');
+
+		$headersOff = $this->settings['headersoff'] ?? false;
+	
+		if(!$headersOff)
+		{
+			$response = $response
+				->withHeader('X-Content-Type-Options', 'nosniff')
+				->withHeader('X-Frame-Options', 'SAMEORIGIN')
+				->withHeader('X-XSS-Protection', '1;mode=block')
+				->withHeader('Referrer-Policy', 'no-referrer-when-downgrade');
+
+			if($scheme == 'https')
+			{
+				$response = $response->withHeader('Strict-Transport-Security', 'max-age=63072000');
+			}
+		}
+
+		return $response;
+	}
+}
\ No newline at end of file
diff --git a/system/typemill/settings/system.yaml b/system/typemill/settings/system.yaml
index 739222a..aa9ed44 100644
--- a/system/typemill/settings/system.yaml
+++ b/system/typemill/settings/system.yaml
@@ -236,4 +236,8 @@ fieldsetdeveloper:
       checkboxlabel: Use x-forwarded-header.
     trustedproxies:
       type: text
-      label: Trusted IPs for proxies (comma separated)
\ No newline at end of file
+      label: Trusted IPs for proxies (comma separated)
+    headersoff:
+      type: checkbox
+      label: Disable Custom Headers
+      checkboxlabel: Disable all custom headers of Typemill and send your own headers instead.
\ No newline at end of file
diff --git a/system/typemill/system.php b/system/typemill/system.php
index 157b64a..2fa40c0 100644
--- a/system/typemill/system.php
+++ b/system/typemill/system.php
@@ -28,6 +28,7 @@ use Typemill\Middleware\JsonBodyParser;
 use Typemill\Middleware\FlashMessages;
 use Typemill\Middleware\AssetMiddleware;
 use Typemill\Middleware\SecurityMiddleware;
+use Typemill\Middleware\CustomHeadersMiddleware;
 use Typemill\Extensions\TwigCsrfExtension;
 use Typemill\Extensions\TwigUrlExtension;
 use Typemill\Extensions\TwigUserExtension;
@@ -304,6 +305,8 @@ foreach($middleware as $pluginMiddleware)
 	}
 }
 
+$app->add(new CustomHeadersMiddleware($settings));
+
 $app->add(new AssetMiddleware($assets, $container->get('view')));
 
 $app->add(new ValidationErrorsMiddleware($container->get('view')));