Add middleware hide server headers

marcoAntonioNina · marcoAntonioNina · commit a08445fc566a · 2025-10-20T11:32:00.000-04:00
diff --git a/ProcessMaker/Http/Kernel.php b/ProcessMaker/Http/Kernel.php
@@ -27,6 +27,7 @@ class Kernel extends HttpKernel
         ServerTimingMiddleware::class,
         Middleware\FileSizeCheck::class,
         Middleware\AddTenantHeaders::class,
+        Middleware\HideServerHeaders::class,
     ];
 
     /**
diff --git a/ProcessMaker/Http/Middleware/HideServerHeaders.php b/ProcessMaker/Http/Middleware/HideServerHeaders.php
@@ -0,0 +1,91 @@
+<?php
+
+namespace ProcessMaker\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class HideServerHeaders
+{
+    /**
+     * Headers that reveal server information and should be removed
+     *
+     * @var array
+     */
+    private $headersToRemove = [
+        // Server identification
+        'Server',
+        'X-Powered-By',
+        'X-AspNet-Version',
+        'X-AspNetMvc-Version',
+
+        // Web technologies and frameworks
+        'X-Generator',
+        'X-Drupal-Cache',
+        'X-Varnish',
+        'X-Cache',
+        'X-Cache-Hits',
+        'X-Framework',
+
+        // Load balancer and proxy information
+        'X-Forwarded-For',
+        'X-Real-IP',
+        'X-Forwarded-Proto',
+        'X-Forwarded-Host',
+        'X-Forwarded-Server',
+        'X-Forwarded-Port',
+
+        // Additional server information
+        'X-Served-By',
+        'X-Cache-Status',
+        'X-Served-From',
+        'X-Content-Source',
+        'X-Request-ID',
+        'X-Request-Id',
+
+        // PHP specific headers
+        'X-PHP-Version',
+        'X-PHP-Originating-Script',
+
+        // Development and debugging headers
+        'X-Debug-Token',
+        'X-Debug-Token-Link',
+        'X-Symfony-Cache',
+    ];
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        $response = $next($request);
+
+        // Only remove headers in production or when explicitly configured
+        if ($this->shouldHideHeaders()) {
+            // Remove all server-revealing headers
+            foreach ($this->headersToRemove as $header) {
+                $response->headers->remove($header);
+            }
+
+            // Set a generic server header to avoid revealing the absence
+            $response->headers->set('Server', 'Web Server');
+        }
+
+        return $response;
+    }
+
+    /**
+     * Determine if headers should be hidden based on environment
+     *
+     * @return bool
+     */
+    private function shouldHideHeaders(): bool
+    {
+        // Hide headers in production or when explicitly configured
+        return app()->environment('production') ||
+               config('app.hide_server_headers', false);
+    }
+}
diff --git a/config/app.php b/config/app.php
@@ -41,6 +41,9 @@
     // The timeout length for API calls, in milliseconds (0 for no timeout)
     'api_timeout' => env('API_TIMEOUT', 5000),
 
+    // Hide server headers for security (prevents information disclosure)
+    'hide_server_headers' => env('HIDE_SERVER_HEADERS', true),
+
     // Disables PHP execution in the storage directory
     // TODO Is this config value still used anywhere? :)
     'disable_php_upload_execution' => env('DISABLE_PHP_UPLOAD_EXECUTION', 0),
