ENHANCEMENT: Reimplemented CSP

2022-06-08 13:31:17 +02:00 · 2022-06-08 13:31:17 +02:00 · 9e20b84862
commit 9e20b84862
parent 74b238c3d5
4 changed files with 41 additions and 2 deletions
--- a/config/services.yaml
+++ b/config/services.yaml
@ -4,6 +4,9 @@
 # Put parameters here that don't need to change on each machine where the app is deployed
 # https://symfony.com/doc/current/best_practices.html#use-parameters-for-application-configuration
 parameters:
+    security:
+        csp_policy: "default-src 'none'; font-src 'self'; style-src 'self'; script-src 'self'; img-src 'self'; form-action 'none'; frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'none'; "
+        referer_policy: "same-origin"

 services:
    # default configuration for services in *this* file
--- a/package.json
+++ b/package.json
@ -17,7 +17,8 @@
    "vite-plugin-symfony": "^0.3.0"
  },
  "scripts": {
-    "dev": "vite",
+    "watch": "vite build --minify=false --sourcemap --watch",
+    "build-dev": "vite build --minify=false --sourcemap",
    "build": "vite build"
  },
  "repository": {
--- a/src/EventSubscriber/ExceptionListener.php
+++ b/src/EventSubscriber/ExceptionListener.php
@ -1,6 +1,6 @@
 <?php

-namespace App\EventListener;
+namespace App\EventSubscriber;

 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Response;
--- a/src/EventSubscriber/SecurityHeadersSubscriber.php
+++ b/src/EventSubscriber/SecurityHeadersSubscriber.php
@ -0,0 +1,35 @@
+<?php
+
+namespace App\EventSubscriber;
+
+use Symfony\Component\DependencyInjection\ParameterBag\ContainerBagInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\ResponseEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+class SecurityHeadersSubscriber implements EventSubscriberInterface
+{
+    private $params;
+
+    public function __construct(ContainerBagInterface $params)
+    {
+        $this->params = $params;
+    }
+
+    public function onResponse(ResponseEvent $event)
+    {
+        $response = $event->getResponse();
+        $securitypolicy = $this->params->get('security');
+        $csp = $securitypolicy['csp_policy'];
+        $referer = $securitypolicy['referer_policy'];
+        $response->headers->set("Content-Security-Policy", $csp);
+        $response->headers->set("Referrer-Policy", $referer);
+    }
+
+    public static function getSubscribedEvents()
+    {
+        return [
+            KernelEvents::RESPONSE => 'onResponse'
+        ];
+    }
+}