1<?php 2 3/** 4 * webtrees: online genealogy 5 * Copyright (C) 2021 webtrees development team 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation, either version 3 of the License, or 9 * (at your option) any later version. 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * You should have received a copy of the GNU General Public License 15 * along with this program. If not, see <https://www.gnu.org/licenses/>. 16 */ 17 18declare(strict_types=1); 19 20namespace Fisharebest\Webtrees\Http\Middleware; 21 22use Psr\Http\Message\ResponseInterface; 23use Psr\Http\Message\ServerRequestInterface; 24use Psr\Http\Server\MiddlewareInterface; 25use Psr\Http\Server\RequestHandlerInterface; 26 27/** 28 * Middleware to set security-related HTTP headers. 29 */ 30class SecurityHeaders implements MiddlewareInterface 31{ 32 private const SECURITY_HEADERS = [ 33 'Referrer-Policy' => 'same-origin', 34 'X-Content-Type-Options' => 'nosniff', 35 'X-Frame-Options' => 'SAMEORIGIN', 36 'X-XSS-Protection' => '1; mode=block', 37 ]; 38 39 /** 40 * @param ServerRequestInterface $request 41 * @param RequestHandlerInterface $handler 42 * 43 * @return ResponseInterface 44 */ 45 public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface 46 { 47 $response = $handler->handle($request); 48 49 foreach (self::SECURITY_HEADERS as $header_name => $header_value) { 50 // Don't overwrite existing headers. 51 if ($response->getHeader($header_name) === []) { 52 $response = $response->withHeader($header_name, $header_value); 53 } 54 } 55 56 return $response; 57 } 58} 59