Merge pull request #7 from flightphp/security-headers

added security headers by default

Author: n0nag0n

app/config/config_sample.php

@@ -54,6 +54,10 @@
 $app->set('flight.views.extension', '.php');  // View file extension (e.g., '.php', '.latte')
 $app->set('flight.content_length', false);    // Send content length header. Usually false unless required by proxy
 
+// Generate a CSP nonce for each request and store in $app
+$nonce = bin2hex(random_bytes(16));
+$app->set('csp_nonce', $nonce);
+
 /**********************************************
  *           User Configuration               *
  **********************************************/

app/config/routes.php

@@ -1,23 +1,30 @@
 <?php
 
 use app\controllers\ApiExampleController;
+use app\middlewares\SecurityHeadersMiddleware;
 use flight\Engine;
 use flight\net\Router;
 
 /** 
  * @var Router $router 
  * @var Engine $app
  */
-$router->get('/', function() use ($app) {
-	$app->render('welcome', [ 'message' => 'You are gonna do great things!' ]);
-});
 
-$router->get('/hello-world/@name', function($name) {
-	echo '<h1>Hello world! Oh hey '.$name.'!</h1>';
-});
+// This wraps all routes in the group with the SecurityHeadersMiddleware
+$router->group('', function(Router $router) use ($app) {
 
-$router->group('/api', function() use ($router) {
-	$router->get('/users', [ ApiExampleController::class, 'getUsers' ]);
-	$router->get('/users/@id:[0-9]', [ ApiExampleController::class, 'getUser' ]);
-	$router->post('/users/@id:[0-9]', [ ApiExampleController::class, 'updateUser' ]);
-});
+	$router->get('/', function() use ($app) {
+		$app->render('welcome', [ 'message' => 'You are gonna do great things!' ]);
+	});
+
+	$router->get('/hello-world/@name', function($name) {
+		echo '<h1>Hello world! Oh hey '.$name.'!</h1>';
+	});
+
+	$router->group('/api', function() use ($router) {
+		$router->get('/users', [ ApiExampleController::class, 'getUsers' ]);
+		$router->get('/users/@id:[0-9]', [ ApiExampleController::class, 'getUser' ]);
+		$router->post('/users/@id:[0-9]', [ ApiExampleController::class, 'updateUser' ]);
+	});
+	
+}, [ SecurityHeadersMiddleware::class ]);

app/middlewares/SecurityHeadersMiddleware.php

@@ -0,0 +1,37 @@
+<?php
+declare(strict_types=1);
+
+namespace app\middlewares;
+
+use flight\Engine;
+use Tracy\Debugger;
+
+class SecurityHeadersMiddleware
+{
+	protected Engine $app;
+
+	public function __construct(Engine $app)
+	{
+		$this->app = $app;
+	}
+	
+	public function before(array $params): void
+	{
+		$nonce = $this->app->get('csp_nonce');
+
+		// development mode to execute Tracy debug bar CSS
+		$tracyCssBypass = "'nonce-{$nonce}'";
+		if(Debugger::$showBar === true) {
+			$tracyCssBypass = ' \'unsafe-inline\'';
+		}
+
+		$csp = "default-src 'self'; script-src 'self' 'nonce-{$nonce}' 'strict-dynamic'; style-src 'self' {$tracyCssBypass}; img-src 'self' data:;";
+		$this->app->response()->header('X-Frame-Options', 'SAMEORIGIN');
+		$this->app->response()->header("Content-Security-Policy", $csp);
+		$this->app->response()->header('X-XSS-Protection', '1; mode=block');
+		$this->app->response()->header('X-Content-Type-Options', 'nosniff');
+		$this->app->response()->header('Referrer-Policy', 'no-referrer-when-downgrade');
+		$this->app->response()->header('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
+		$this->app->response()->header('Permissions-Policy', 'geolocation=()');
+	}
+}

composer.json

@@ -35,7 +35,6 @@
         "start": "php -S localhost:8000 -t public",
 		"post-create-project-cmd": [ 
 			"@php -r \"copy('app/config/config_sample.php', 'app/config/config.php');\"",
-			"@php -r \"mkdir('app/middlewares/');\"",
 			"@php -r \"mkdir('app/models/');\"",
 			"@php -r \"mkdir('app/utils/');\"",
 			"@php -r \"mkdir('app/cache/');\"",