xref: /webtrees/app/Http/Middleware/SecurityHeaders.php (revision e43c2e5dda33d221a59512327fb4eacdaa819b3f)
1<?php
2
3/**
4 * webtrees: online genealogy
5 * Copyright (C) 2023 webtrees development team
6 * This program is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <https://www.gnu.org/licenses/>.
16 */
17
18declare(strict_types=1);
19
20namespace Fisharebest\Webtrees\Http\Middleware;
21
22use Fisharebest\Webtrees\Validator;
23use Psr\Http\Message\ResponseInterface;
24use Psr\Http\Message\ServerRequestInterface;
25use Psr\Http\Server\MiddlewareInterface;
26use Psr\Http\Server\RequestHandlerInterface;
27
28/**
29 * Middleware to set security-related HTTP headers.
30 */
31class SecurityHeaders implements MiddlewareInterface
32{
33    private const SECURITY_HEADERS = [
34        'Permissions-Policy'     => 'browsing-topics=()',
35        'Referrer-Policy'        => 'same-origin',
36        'X-Content-Type-Options' => 'nosniff',
37        'X-Frame-Options'        => 'SAMEORIGIN',
38        'X-XSS-Protection'       => '1; mode=block',
39    ];
40
41    /**
42     * @param ServerRequestInterface  $request
43     * @param RequestHandlerInterface $handler
44     *
45     * @return ResponseInterface
46     */
47    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
48    {
49        $response = $handler->handle($request);
50
51        foreach (self::SECURITY_HEADERS as $header_name => $header_value) {
52            // Don't overwrite existing headers.
53            if ($response->getHeader($header_name) === []) {
54                $response = $response->withHeader($header_name, $header_value);
55            }
56        }
57
58        $base_url = Validator::attributes($request)->string('base_url');
59
60        if (str_starts_with($base_url, 'https://') && $response->getHeader('Strict-Transport-Security') === []) {
61            $response = $response->withHeader('Strict-Transport-Security', 'max-age=31536000');
62        }
63
64        return $response;
65    }
66}
67