mirror of
https://github.com/pelican-dev/panel.git
synced 2026-05-04 18:00:48 +03:00
1817383bf5
Co-authored-by: DaneEveritt <dane@daneeveritt.com> Co-authored-by: danny6167 <danielb@purpleflaghosting.com> Co-authored-by: MrSoulPenguin <28676680+MrSoulPenguin@users.noreply.github.com>
47 lines
1.4 KiB
PHP
47 lines
1.4 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Http\Response;
|
|
|
|
class SetSecurityHeaders
|
|
{
|
|
/**
|
|
* Ideally we move away from X-Frame-Options/X-XSS-Protection and implement a
|
|
* proper standard CSP, but I can guarantee that will break for a lot of folks
|
|
* using custom plugins and who knows what image embeds.
|
|
*
|
|
* We'll circle back to that at a later date when it can be more fully controlled
|
|
* by the admin to support those cases without too much trouble.
|
|
*
|
|
* @var array<string, string>
|
|
*/
|
|
protected static array $headers = [
|
|
'X-Frame-Options' => 'DENY',
|
|
'X-Content-Type-Options' => 'nosniff',
|
|
'X-XSS-Protection' => '1; mode=block',
|
|
'Referrer-Policy' => 'no-referrer-when-downgrade',
|
|
];
|
|
|
|
/**
|
|
* Enforces some basic security headers on all responses returned by the software.
|
|
* If a header has already been set in another location within the code it will be
|
|
* skipped over here.
|
|
*
|
|
* @param (\Closure(mixed): Response) $next
|
|
*/
|
|
public function handle(Request $request, \Closure $next): mixed
|
|
{
|
|
$response = $next($request);
|
|
|
|
foreach (static::$headers as $key => $value) {
|
|
if (!$response->headers->has($key)) {
|
|
$response->headers->set($key, $value);
|
|
}
|
|
}
|
|
|
|
return $response;
|
|
}
|
|
}
|