Add the CSP headers

Squashed commit of the following: commit 468945826621d2e586f7e5fa773623c4accc316a Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:30 2018 +0000 Update changelog commit 36c6edce091c41861879a982e6ad250b395abbcf Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:23 2018 +0000 Add a test commit ef9d7b564f8ea4f4528c42f411c14ddfaa132082 Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:13 2018 +0000 Apply the CSPHeader middleware to all `web` requests commit 737bfca3a6b446d52c0d0a8cc1b7b1c422876c0b Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:41:45 2018 +0000 Add a CSP header to a response, as well as the Report-To header
2018-03-02 16:46:45 +00:00 · 2018-03-02 16:46:45 +00:00 · f35e2b4f15
commit f35e2b4f15
parent 2e6e20a8b0
4 changed files with 64 additions and 0 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -38,6 +38,7 @@ class Kernel extends HttpKernel
            \App\Http\Middleware\LinkHeadersMiddleware::class,
            \App\Http\Middleware\LocalhostSessionMiddleware::class,
            \App\Http\Middleware\ActivityStreamLinks::class,
+            \App\Http\Middleware\CSPHeader::class,
        ],

        'api' => [
--- a/app/Http/Middleware/CSPHeader.php
+++ b/app/Http/Middleware/CSPHeader.php
@ -0,0 +1,46 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class CSPHeader
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        // headers have to be single-line strings,
+        // so we concat multiple lines
+        return $next($request)
+            ->header(
+                'Content-Security-Policy',
+                "default-src 'self'; " .
+                "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://api.mapbox.com https://analytics.jmb.lv blob:; " .
+                "style-src 'self' 'unsafe-inline' https://api.mapbox.com https://fonts.googleapis.com use.typekit.net p.typekit.net; " .
+                "img-src 'self' data: blob: https://pbs.twimg.com https://api.mapbox.com https://*.tiles.mapbox.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com analytics.jmb.lv https://*.4sqi.net https://upload.wikimedia.org p.typekit.net; " .
+                "font-src 'self' https://fonts.gstatic.com use.typekit.net fonts.typekit.net; " .
+                "connect-src 'self' https://api.mapbox.com https://*.tiles.mapbox.com performance.typekit.net data: blob:; " .
+                "worker-src 'self' blob:; " .
+                "frame-src 'self' https://www.youtube.com blob:; " .
+                "child-src 'self' blob:; " .
+                "upgrade-insecure-requests; " .
+                "block-all-mixed-content; " .
+                "report-to csp-endpoint;" .
+                "report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;"
+            )
+            ->header(
+                'Report-To',
+                "{" .
+                    "'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " .
+                    "'group': 'csp-endpoint'," .
+                    "'max-age': 10886400" .
+                "}"
+            );
+    }
+}