xref: /webtrees/app/Http/Middleware/SecurityHeaders.php (revision 110d87e5cc3161866682d0a932d11474cfbcad7f)
1<?php
2
3/**
4 * webtrees: online genealogy
5 * Copyright (C) 2021 webtrees development team
6 * This program is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <https://www.gnu.org/licenses/>.
16 */
17
18declare(strict_types=1);
19
20namespace Fisharebest\Webtrees\Http\Middleware;
21
22use Psr\Http\Message\ResponseInterface;
23use Psr\Http\Message\ServerRequestInterface;
24use Psr\Http\Server\MiddlewareInterface;
25use Psr\Http\Server\RequestHandlerInterface;
26
27/**
28 * Middleware to set security-related HTTP headers.
29 */
30class SecurityHeaders implements MiddlewareInterface
31{
32    private const SECURITY_HEADERS = [
33        'Permissions-Policy'     => 'browsing-topics=()',
34        'Referrer-Policy'        => 'same-origin',
35        'X-Content-Type-Options' => 'nosniff',
36        'X-Frame-Options'        => 'SAMEORIGIN',
37        'X-XSS-Protection'       => '1; mode=block',
38    ];
39
40    /**
41     * @param ServerRequestInterface  $request
42     * @param RequestHandlerInterface $handler
43     *
44     * @return ResponseInterface
45     */
46    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
47    {
48        $response = $handler->handle($request);
49
50        foreach (self::SECURITY_HEADERS as $header_name => $header_value) {
51            // Don't overwrite existing headers.
52            if ($response->getHeader($header_name) === []) {
53                $response = $response->withHeader($header_name, $header_value);
54            }
55        }
56
57        return $response;
58    }
59}
60