1<?php 2 3/** 4 * webtrees: online genealogy 5 * Copyright (C) 2021 webtrees development team 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation, either version 3 of the License, or 9 * (at your option) any later version. 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * You should have received a copy of the GNU General Public License 15 * along with this program. If not, see <https://www.gnu.org/licenses/>. 16 */ 17 18declare(strict_types=1); 19 20namespace Fisharebest\Webtrees\Http\Middleware; 21 22use Psr\Http\Message\ResponseInterface; 23use Psr\Http\Message\ServerRequestInterface; 24use Psr\Http\Server\MiddlewareInterface; 25use Psr\Http\Server\RequestHandlerInterface; 26 27/** 28 * Middleware to set security-related HTTP headers. 29 */ 30class SecurityHeaders implements MiddlewareInterface 31{ 32 private const SECURITY_HEADERS = [ 33 'Permissions-Policy' => 'interest-cohort=()', 34 'Referrer-Policy' => 'same-origin', 35 'X-Content-Type-Options' => 'nosniff', 36 'X-Frame-Options' => 'SAMEORIGIN', 37 'X-XSS-Protection' => '1; mode=block', 38 ]; 39 40 /** 41 * @param ServerRequestInterface $request 42 * @param RequestHandlerInterface $handler 43 * 44 * @return ResponseInterface 45 */ 46 public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface 47 { 48 $response = $handler->handle($request); 49 50 foreach (self::SECURITY_HEADERS as $header_name => $header_value) { 51 // Don't overwrite existing headers. 52 if ($response->getHeader($header_name) === []) { 53 $response = $response->withHeader($header_name, $header_value); 54 } 55 } 56 57 return $response; 58 } 59} 60