firefly-iii/app/Http/Middleware/SecureHeaders.php

<?php
/**
 * SecureHeaders.php
 * Copyright (c) 2019 james@firefly-iii.org
 *
 * This file is part of Firefly III (https://github.com/firefly-iii).
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

declare(strict_types=1);

namespace FireflyIII\Http\Middleware;

use Closure;
use Exception;
use Illuminate\Http\Request;

/**
 *
 * Class SecureHeaders
 */
class SecureHeaders
{
    /**
     * Handle an incoming request.
     *
     * @param Request $request
     * @param Closure $next
     *
     * @return mixed
     * @throws Exception
     */
    public function handle(Request $request, Closure $next)
    {
        // generate and share nonce.
        $nonce = base64_encode(random_bytes(16));
        app('view')->share('JS_NONCE', $nonce);

        $response          = $next($request);
        $trackingScriptSrc = $this->getTrackingScriptSource();
        $csp               = [
            "default-src 'none'",
            "object-src 'none'",
            sprintf("script-src 'unsafe-eval' 'strict-dynamic' 'self' 'unsafe-inline' 'nonce-%1s' %2s", $nonce, $trackingScriptSrc),
            "style-src 'unsafe-inline' 'self'",
            "base-uri 'self'",
            "font-src 'self' data:",
            sprintf("connect-src 'self' %s", $trackingScriptSrc),
            sprintf("img-src data: 'strict-dynamic' 'self' *.tile.openstreetmap.org %s", $trackingScriptSrc),
            "manifest-src 'self'",
        ];

        $route     = $request->route();
        $customUrl = '';
        $authGuard = (string)config('firefly.authentication_guard');
        $logoutUrl = (string)config('firefly.custom_logout_url');
        if ('remote_user_guard' === $authGuard && '' !== $logoutUrl) {
            $customUrl = $logoutUrl;
        }

        if (null !== $route && 'oauth/authorize' !== $route->uri) {
            $csp[] = sprintf("form-action 'self' %s", $customUrl);
        }

        $featurePolicies = [
            "geolocation 'none'",
            "midi 'none'",
            //"notifications 'none'",
            //"push 'self'",
            "sync-xhr 'self'",
            "microphone 'none'",
            "camera 'none'",
            "magnetometer 'none'",
            "gyroscope 'none'",
            //"speaker 'none'",
            //"vibrate 'none'",
            "fullscreen 'self'",
            "payment 'none'",
        ];

        $disableFrameHeader = config('firefly.disable_frame_header');
        $disableCSP         = config('firefly.disable_csp_header');
        if (false === $disableFrameHeader) {
            $response->header('X-Frame-Options', 'deny');
        }
        if (false === $disableCSP && !$response->headers->has('Content-Security-Policy')) {
            $response->header('Content-Security-Policy', implode('; ', $csp));
        }
        $response->header('X-XSS-Protection', '1; mode=block');
        $response->header('X-Content-Type-Options', 'nosniff');
        $response->header('Referrer-Policy', 'no-referrer');
        $response->header('X-Permitted-Cross-Domain-Policies', 'none');
        $response->header('X-Robots-Tag', 'none');
        $response->header('Feature-Policy', implode('; ', $featurePolicies));

        return $response;
    }

    /**
     * Return part of a CSP header allowing scripts from Matomo.
     *
     * @return string
     */
    private function getTrackingScriptSource(): string
    {
        if ('' !== (string)config('firefly.tracker_site_id') && '' !== (string)config('firefly.tracker_url')) {
            return (string)config('firefly.tracker_url');
        }

        return '';
    }
}
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`<?php`
			`/**`
			`* SecureHeaders.php`
Update email address 2020-01-31 00:32:04 -06:00			`* Copyright (c) 2019 james@firefly-iii.org`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`*`
Update copyright of Firefly III to the GNU Affero General Public License as suggested by @nxxxse in #2607. This applies to all code in this commit from this moment onwards. 2019-10-01 23:37:26 -05:00			`* This file is part of Firefly III (https://github.com/firefly-iii).`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`*`
Update copyright of Firefly III to the GNU Affero General Public License as suggested by @nxxxse in #2607. This applies to all code in this commit from this moment onwards. 2019-10-01 23:37:26 -05:00			`* This program is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as`
			`* published by the Free Software Foundation, either version 3 of the`
			`* License, or (at your option) any later version.`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`*`
Update copyright of Firefly III to the GNU Affero General Public License as suggested by @nxxxse in #2607. This applies to all code in this commit from this moment onwards. 2019-10-01 23:37:26 -05:00			`* This program is distributed in the hope that it will be useful,`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
Update copyright of Firefly III to the GNU Affero General Public License as suggested by @nxxxse in #2607. This applies to all code in this commit from this moment onwards. 2019-10-01 23:37:26 -05:00			`* GNU Affero General Public License for more details.`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`*`
Update copyright of Firefly III to the GNU Affero General Public License as suggested by @nxxxse in #2607. This applies to all code in this commit from this moment onwards. 2019-10-01 23:37:26 -05:00			`* You should have received a copy of the GNU Affero General Public License`
			`* along with this program. If not, see <https://www.gnu.org/licenses/>.`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`*/`

			`declare(strict_types=1);`

			`namespace FireflyIII\Http\Middleware;`

			`use Closure;`
Code cleanup that (hopefully) matches style CI 2020-03-17 09:02:57 -05:00			`use Exception;`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`use Illuminate\Http\Request;`

			`/**`
			`*`
			`* Class SecureHeaders`
			`*/`
			`class SecureHeaders`
			`{`
			`/**`
Code for #2920 2020-01-04 04:00:44 -06:00			`* Handle an incoming request.`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`*`
chore: reformat code. 2023-06-21 05:34:58 -05:00			`* @param Request $request`
			`* @param Closure $next`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`*`
			`* @return mixed`
Code cleanup 2021-03-21 03:15:40 -05:00			`* @throws Exception`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00			`*/`
			`public function handle(Request $request, Closure $next)`
			`{`
Improve config of CSP headers. 2020-01-10 22:28:20 -06:00			`// generate and share nonce.`
Code for #2920 2020-01-04 04:00:44 -06:00			`$nonce = base64_encode(random_bytes(16));`
			`app('view')->share('JS_NONCE', $nonce);`

Code cleanup. 2021-03-28 04:46:23 -05:00			`$response = $next($request);`
Update analytics code. 2020-01-16 21:30:44 -06:00			`$trackingScriptSrc = $this->getTrackingScriptSource();`
Code cleanup. 2021-03-28 04:46:23 -05:00			`$csp = [`
Fix various issues in forms. 2021-04-08 10:41:19 -05:00			`"default-src 'none'",`
			`"object-src 'none'",`
Update packages and meta files for new release. 2022-01-28 14:19:05 -06:00			`sprintf("script-src 'unsafe-eval' 'strict-dynamic' 'self' 'unsafe-inline' 'nonce-%1s' %2s", $nonce, $trackingScriptSrc),`
Fix various issues in forms. 2021-04-08 10:41:19 -05:00			`"style-src 'unsafe-inline' 'self'",`
			`"base-uri 'self'",`
			`"font-src 'self' data:",`
Update packages and meta files for new release. 2022-01-28 14:19:05 -06:00			`sprintf("connect-src 'self' %s", $trackingScriptSrc),`
Fix various issues in forms. 2021-04-08 10:41:19 -05:00			`sprintf("img-src data: 'strict-dynamic' 'self' *.tile.openstreetmap.org %s", $trackingScriptSrc),`
			`"manifest-src 'self'",`
Update header readability, add Google as an optional allowed source. 2018-08-25 03:36:27 -05:00			`];`
Route can be null. 2019-01-27 11:24:11 -06:00
Fix code for #5493 as suggested by @tjmv 2022-02-09 04:14:00 -06:00			`$route = $request->route();`
			`$customUrl = '';`
Various PSR12 code cleanup 2022-12-29 12:42:26 -06:00			`$authGuard = (string)config('firefly.authentication_guard');`
			`$logoutUrl = (string)config('firefly.custom_logout_url');`
Fix code for #5493 as suggested by @tjmv 2022-02-09 04:14:00 -06:00			`if ('remote_user_guard' === $authGuard && '' !== $logoutUrl) {`
			`$customUrl = $logoutUrl;`
			`}`

Code cleaning stuff. 2019-02-13 10:38:41 -06:00			`if (null !== $route && 'oauth/authorize' !== $route->uri) {`
Fix code for #5493 as suggested by @tjmv 2022-02-09 04:14:00 -06:00			`$csp[] = sprintf("form-action 'self' %s", $customUrl);`
Ignore form action when doing oAuth2. 2019-01-27 10:15:40 -06:00			`}`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00
Expand secure headers. 2018-08-25 03:49:52 -05:00			`$featurePolicies = [`
			`"geolocation 'none'",`
			`"midi 'none'",`
Make some charts currency aware for #740 2018-08-27 11:59:30 -05:00			`//"notifications 'none'",`
			`//"push 'self'",`
Expand secure headers. 2018-08-25 03:49:52 -05:00			`"sync-xhr 'self'",`
			`"microphone 'none'",`
			`"camera 'none'",`
			`"magnetometer 'none'",`
			`"gyroscope 'none'",`
Fix various issues in forms. 2021-04-08 10:41:19 -05:00			`//"speaker 'none'",`
Make some charts currency aware for #740 2018-08-27 11:59:30 -05:00			`//"vibrate 'none'",`
Expand secure headers. 2018-08-25 03:49:52 -05:00			`"fullscreen 'self'",`
			`"payment 'none'",`
			`];`

Learned that I should not refer to env vars directly so I removed all references. 2018-12-15 00:59:02 -06:00			`$disableFrameHeader = config('firefly.disable_frame_header');`
Improve config of CSP headers. 2020-01-10 22:28:20 -06:00			`$disableCSP = config('firefly.disable_csp_header');`
			`if (false === $disableFrameHeader) {`
Add option to disable the X-Frame header 2018-11-24 00:24:32 -06:00			`$response->header('X-Frame-Options', 'deny');`
			`}`
Improve config of CSP headers. 2020-01-10 22:28:20 -06:00			`if (false === $disableCSP && !$response->headers->has('Content-Security-Policy')) {`
Fixes #2338 2019-07-16 12:21:58 -05:00			`$response->header('Content-Security-Policy', implode('; ', $csp));`
			`}`
Expand secure headers. 2018-08-25 03:49:52 -05:00			`$response->header('X-XSS-Protection', '1; mode=block');`
			`$response->header('X-Content-Type-Options', 'nosniff');`
			`$response->header('Referrer-Policy', 'no-referrer');`
Add headers. 2021-04-08 05:27:54 -05:00			`$response->header('X-Permitted-Cross-Domain-Policies', 'none');`
			`$response->header('X-Robots-Tag', 'none');`
Expand secure headers. 2018-08-25 03:49:52 -05:00			`$response->header('Feature-Policy', implode('; ', $featurePolicies));`
Add secure headers middleware. 2018-08-25 00:55:32 -05:00
			`return $response;`
			`}`
Improve config of CSP headers. 2020-01-10 22:28:20 -06:00
Add new relic thing for the demo site. 2022-01-18 12:16:12 -06:00			`/**`
			`* Return part of a CSP header allowing scripts from Matomo.`
Improve config of CSP headers. 2020-01-10 22:28:20 -06:00			`*`
			`* @return string`
			`*/`
Update analytics code. 2020-01-16 21:30:44 -06:00			`private function getTrackingScriptSource(): string`
Improve config of CSP headers. 2020-01-10 22:28:20 -06:00			`{`
Various PSR12 code cleanup 2022-12-29 12:42:26 -06:00			`if ('' !== (string)config('firefly.tracker_site_id') && '' !== (string)config('firefly.tracker_url')) {`
			`return (string)config('firefly.tracker_url');`
Improve config of CSP headers. 2020-01-10 22:28:20 -06:00			`}`

			`return '';`
			`}`
2FA QR doesn't show up due to CSP error Relevant stackoverflow fix: https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 2018-09-03 00:19:38 -05:00			`}`