From a9590d2bb62162ebb67c1da4c952a61689321eb3 Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Sat, 25 Aug 2018 07:55:32 +0200
Subject: [PATCH] Add secure headers middleware.

---
 app/Http/Kernel.php                   |  2 +
 app/Http/Middleware/SecureHeaders.php | 54 +++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 app/Http/Middleware/SecureHeaders.php

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 514b660f1d..90ad53be88 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -32,6 +32,7 @@ use FireflyIII\Http\Middleware\Range;
 use FireflyIII\Http\Middleware\RedirectIfAuthenticated;
 use FireflyIII\Http\Middleware\RedirectIfTwoFactorAuthenticated;
 use FireflyIII\Http\Middleware\Sandstorm;
+use FireflyIII\Http\Middleware\SecureHeaders;
 use FireflyIII\Http\Middleware\StartFireflySession;
 use FireflyIII\Http\Middleware\TrimStrings;
 use FireflyIII\Http\Middleware\TrustProxies;
@@ -63,6 +64,7 @@ class Kernel extends HttpKernel
      */
     protected $middleware
         = [
+            SecureHeaders::class,
             CheckForMaintenanceMode::class,
             ValidatePostSize::class,
             TrimStrings::class,
diff --git a/app/Http/Middleware/SecureHeaders.php b/app/Http/Middleware/SecureHeaders.php
new file mode 100644
index 0000000000..0069b6f7d1
--- /dev/null
+++ b/app/Http/Middleware/SecureHeaders.php
@@ -0,0 +1,54 @@
+<?php
+/**
+ * SecureHeaders.php
+ * Copyright (c) 2018 thegrumpydictator@gmail.com
+ *
+ * This file is part of Firefly III.
+ *
+ * Firefly III is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Firefly III is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Firefly III. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+declare(strict_types=1);
+
+namespace FireflyIII\Http\Middleware;
+
+use Auth;
+use Closure;
+use Illuminate\Http\Request;
+
+/**
+ *
+ * Class SecureHeaders
+ */
+class SecureHeaders
+{
+    /**
+     * Handle an incoming request. May not be a limited user (ie. Sandstorm env. or demo user).
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     * @param string|null              $guard
+     *
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        $response = $next($request);
+
+        $response->header('X-Frame-Options', 'deny');
+        //$response->header('Content-Security-Policy', "default-src 'none'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com/analytics.js; style-src 'self' 'unsafe-inline';base-uri 'self';form-action 'self';font-src 'self';connect-src 'self';img-src 'self'");
+
+        return $response;
+    }
+}
\ No newline at end of file