JeroenED/website
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ENHANCEMENT: Reimplemented CSP

Browse Source
This commit is contained in:
Jeroen De Meerleer 2022-06-08 13:31:17 +02:00
parent 74b238c3d5
commit 9e20b84862
Signed by: JeroenED
GPG Key ID: 28CCCB8F62BFADD6
4 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/services.yaml
View File

@ -4,6 +4,9 @@
# Put parameters here that don't need to change on each machine where the app is deployed # Put parameters here that don't need to change on each machine where the app is deployed
# https://symfony.com/doc/current/best_practices.html#use-parameters-for-application-configuration # https://symfony.com/doc/current/best_practices.html#use-parameters-for-application-configuration
parameters: parameters:
security:
csp_policy: "default-src 'none'; font-src 'self'; style-src 'self'; script-src 'self'; img-src 'self'; form-action 'none'; frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'none'; "
referer_policy: "same-origin"
services: services:
# default configuration for services in *this* file # default configuration for services in *this* file

3
package.json
View File

@ -17,7 +17,8 @@
"vite-plugin-symfony": "^0.3.0" "vite-plugin-symfony": "^0.3.0"
}, },
"scripts": { "scripts": {
"dev": "vite", "watch": "vite build --minify=false --sourcemap --watch",
"build-dev": "vite build --minify=false --sourcemap",
"build": "vite build" "build": "vite build"
}, },
"repository": { "repository": {

2
src/EventListener/ExceptionListener.php → src/EventSubscriber/ExceptionListener.php
View File

@ -1,6 +1,6 @@
<?php <?php
namespace App\EventListener; namespace App\EventSubscriber;
use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Response;

35
src/EventSubscriber/SecurityHeadersSubscriber.php Normal file
View File

@ -0,0 +1,35 @@
<?php
namespace App\EventSubscriber;
use Symfony\Component\DependencyInjection\ParameterBag\ContainerBagInterface;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
class SecurityHeadersSubscriber implements EventSubscriberInterface
{
private $params;
public function __construct(ContainerBagInterface $params)
{
$this->params = $params;
}
public function onResponse(ResponseEvent $event)
{
$response = $event->getResponse();
$securitypolicy = $this->params->get('security');
$csp = $securitypolicy['csp_policy'];
$referer = $securitypolicy['referer_policy'];
$response->headers->set("Content-Security-Policy", $csp);
$response->headers->set("Referrer-Policy", $referer);
}
public static function getSubscribedEvents()
{
return [
KernelEvents::RESPONSE => 'onResponse'
];
}
}