xref: /webtrees/app/Http/Middleware/SecurityHeaders.php (revision 24f2a3af38709f9bf0a739b30264240d20ba34e8)
1<?php
2
3/**
4 * webtrees: online genealogy
5 * Copyright (C) 2021 webtrees development team
6 * This program is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <https://www.gnu.org/licenses/>.
16 */
17
18declare(strict_types=1);
19
20namespace Fisharebest\Webtrees\Http\Middleware;
21
22use Psr\Http\Message\ResponseInterface;
23use Psr\Http\Message\ServerRequestInterface;
24use Psr\Http\Server\MiddlewareInterface;
25use Psr\Http\Server\RequestHandlerInterface;
26
27/**
28 * Middleware to set security-related HTTP headers.
29 */
30class SecurityHeaders implements MiddlewareInterface
31{
32    private const SECURITY_HEADERS = [
33        'Referrer-Policy'        => 'same-origin',
34        'X-Content-Type-Options' => 'nosniff',
35        'X-Frame-Options'        => 'SAMEORIGIN',
36        'X-XSS-Protection'       => '1; mode=block',
37    ];
38
39    /**
40     * @param ServerRequestInterface  $request
41     * @param RequestHandlerInterface $handler
42     *
43     * @return ResponseInterface
44     */
45    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
46    {
47        $response = $handler->handle($request);
48
49        foreach (self::SECURITY_HEADERS as $header_name => $header_value) {
50            // Don't overwrite existing headers.
51            if ($response->getHeader($header_name) === []) {
52                $response = $response->withHeader($header_name, $header_value);
53            }
54        }
55
56        return $response;
57    }
58}
59