Add the CSP headers

Squashed commit of the following: commit 468945826621d2e586f7e5fa773623c4accc316a Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:30 2018 +0000 Update changelog commit 36c6edce091c41861879a982e6ad250b395abbcf Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:23 2018 +0000 Add a test commit ef9d7b564f8ea4f4528c42f411c14ddfaa132082 Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:42:13 2018 +0000 Apply the CSPHeader middleware to all `web` requests commit 737bfca3a6b446d52c0d0a8cc1b7b1c422876c0b Author: Jonny Barnes <jonny@jonnybarnes.uk> Date: Fri Mar 2 16:41:45 2018 +0000 Add a CSP header to a response, as well as the Report-To header
2018-03-02 16:46:45 +00:00 · 2018-03-02 16:46:45 +00:00 · f35e2b4f15
commit f35e2b4f15
parent 2e6e20a8b0
4 changed files with 64 additions and 0 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -38,6 +38,7 @@ class Kernel extends HttpKernel
            \App\Http\Middleware\LinkHeadersMiddleware::class,
            \App\Http\Middleware\LocalhostSessionMiddleware::class,
            \App\Http\Middleware\ActivityStreamLinks::class,
            \App\Http\Middleware\CSPHeader::class,
        ],
        'api' => [
--- a/app/Http/Middleware/CSPHeader.php
+++ b/app/Http/Middleware/CSPHeader.php
@ -0,0 +1,46 @@
 <?php
 namespace App\Http\Middleware;
 use Closure;
 class CSPHeader
 {
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        // headers have to be single-line strings,
        // so we concat multiple lines
        return $next($request)
            ->header(
                'Content-Security-Policy',
                "default-src 'self'; " .
                "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://api.mapbox.com https://analytics.jmb.lv blob:; " .
                "style-src 'self' 'unsafe-inline' https://api.mapbox.com https://fonts.googleapis.com use.typekit.net p.typekit.net; " .
                "img-src 'self' data: blob: https://pbs.twimg.com https://api.mapbox.com https://*.tiles.mapbox.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com analytics.jmb.lv https://*.4sqi.net https://upload.wikimedia.org p.typekit.net; " .
                "font-src 'self' https://fonts.gstatic.com use.typekit.net fonts.typekit.net; " .
                "connect-src 'self' https://api.mapbox.com https://*.tiles.mapbox.com performance.typekit.net data: blob:; " .
                "worker-src 'self' blob:; " .
                "frame-src 'self' https://www.youtube.com blob:; " .
                "child-src 'self' blob:; " .
                "upgrade-insecure-requests; " .
                "block-all-mixed-content; " .
                "report-to csp-endpoint;" .
                "report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;"
            )
            ->header(
                'Report-To',
                "{" .
                    "'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " .
                    "'group': 'csp-endpoint'," .
                    "'max-age': 10886400" .
                "}"
            );
    }
 }
--- a/changelog.md
+++ b/changelog.md
@ -2,6 +2,7 @@
 ## Version {next}
  - Add CORS headers as necessary in the Laravel app (as oppose to using nginx)
  - Add CSP headers
 ## Version 0.16.1 (2018-02-17)
  - Fix issue where OwnYourSwarm requests include h-adr block for location
--- a/tests/Feature/CSPHeadersTest.php
+++ b/tests/Feature/CSPHeadersTest.php
@ -0,0 +1,16 @@
 <?php
 namespace Tests\Feature;
 use Tests\TestCase;
 class CSPHeadersTest extends TestCase
 {
    /** @test */
    public function check_csp_headers_test()
    {
        $response = $this->get('/');
        $response->assertHeader('Content-Security-Policy');
        $response->assertHeader('Report-To');
    }
 }