src/Subscriber/SecurityHeaderSubscriber.php line 47

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace App\Subscriber;
  7. use App\Store\StoreContext;
  8. use Psr\Log\LoggerInterface;
  9. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  10. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  11. use Symfony\Component\HttpKernel\KernelEvents;
  13. /**
  14. * Setting various security headers
  15. *
  16. * @package App\Subscriber
  17. */
  18. class SecurityHeaderSubscriber implements EventSubscriberInterface
  19. {
  21. private StoreContext $storeContext;
  22. private LoggerInterface $logger;
  24. public function __construct(StoreContext $storeContext, LoggerInterface $logger)
  25. {
  26. $this->storeContext = $storeContext;
  27. $this->logger = $logger;
  28. }
  29. /**
  30. * Returns an array of event names this subscriber wants to listen to.
  31. *
  32. * @return array The event names to listen to
  33. */
  34. public static function getSubscribedEvents(): array
  35. {
  36. // run after EventListener\DisallowRobotsIndexingListener
  37. return [KernelEvents::RESPONSE => ['onKernelResponse', -256]];
  38. }
  40. /**
  41. * Conservative add headers (don't replace exiting ones)
  42. *
  43. * @param ResponseEvent $event
  44. *
  45. * @return void
  46. */
  47. public function onKernelResponse(ResponseEvent $event): void
  48. {
  50. $headers = $event->getResponse()->headers;
  52. // Instructs browser to not send referer when downgrading from https to http
  53. if (!$headers->has('Referrer-Policy')) {
  54. $headers->set('Referrer-Policy', 'strict-origin-when-cross-origin', false);
  55. }
  57. // Prevents browser from trying to guess the mime-type of a response.
  58. // Reduces risk of execution of user uploaded content and exposure to drive-by downloads
  59. if (!$headers->has('X-Content-Type-Options')) {
  60. $headers->set('X-Content-Type-Options', 'nosniff', false);
  61. }
  63. // It would be better if Content-Security-Policy can be more strict. But that requires checking all used resources across the whole store
  64. if ($event->getRequest()->isSecure() && !$headers->has('Content-Security-Policy')) { // if this request is not secure, it makes little sense to force an upgrade for all used resources
  65. $headers->set('Content-Security-Policy', 'upgrade-insecure-requests', false);
  66. }
  68. // Use CSP to allow iframe embed for trusted resources (needed for SAP ARIBA integration)
  69. if ($headers->has('X-Frame-Options')) {
  70. $headers->remove('X-Frame-Options');
  71. }
  72. if ($this->storeContext->isPunchoutStore()) {
  73. $headers->set('Content-Security-Policy', "frame-ancestors *", false);
  74. } else {
  75. $headers->set('Content-Security-Policy', "frame-ancestors 'self' app.storyblok.com", false);
  76. }
  78. // Disable something that is very unlikely to be used, just to add this header
  79. if (!$headers->has('Feature-Policy')) {
  80. $headers->set('Feature-Policy', 'usb \'none\'', false);
  81. }
  82. }
  83. }