From 2914fc6251738af4438f57508ddaa59b7cd44b0c Mon Sep 17 00:00:00 2001
From: Jeroen De Meerleer <me@jeroened.be>
Date: Wed, 8 Jun 2022 13:24:24 +0200
Subject: [PATCH] ENHANCEMENT: added CSP again

---
 config/services.yaml                          |  3 ++
 src/EventSubscriber/LocaleSubscriber.php      |  1 -
 .../SecurityHeadersSubscriber.php             | 35 +++++++++++++++++++
 3 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 src/EventSubscriber/SecurityHeadersSubscriber.php

diff --git a/config/services.yaml b/config/services.yaml
index b794f50..9d56fc9 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -5,6 +5,9 @@
 # https://symfony.com/doc/current/best_practices.html#use-parameters-for-application-configuration
 parameters:
     enabled_locales: 'en|nl'
+    security:
+        csp_policy: "default-src 'none'; font-src 'self' data:; style-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; form-action 'self'; require-trusted-types-for 'script'; frame-ancestors 'none'; base-uri 'none'"
+        referer_policy: "same-origin"
 
 services:
     # default configuration for services in *this* file
diff --git a/src/EventSubscriber/LocaleSubscriber.php b/src/EventSubscriber/LocaleSubscriber.php
index 9b72e5e..eef70aa 100644
--- a/src/EventSubscriber/LocaleSubscriber.php
+++ b/src/EventSubscriber/LocaleSubscriber.php
@@ -1,6 +1,5 @@
 <?php
 
-// src/EventSubscriber/LocaleSubscriber.php
 namespace App\EventSubscriber;
 
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
diff --git a/src/EventSubscriber/SecurityHeadersSubscriber.php b/src/EventSubscriber/SecurityHeadersSubscriber.php
new file mode 100644
index 0000000..9bd80d6
--- /dev/null
+++ b/src/EventSubscriber/SecurityHeadersSubscriber.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace App\EventSubscriber;
+
+use Symfony\Component\DependencyInjection\ParameterBag\ContainerBagInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\ResponseEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+class SecurityHeadersSubscriber implements EventSubscriberInterface
+{
+    private $params;
+
+    public function __construct(ContainerBagInterface $params)
+    {
+        $this->params = $params;
+    }
+
+    public function onResponse(ResponseEvent $event)
+    {
+        $response = $event->getResponse();
+        $securitypolicy = $this->params->get('security');
+        $csp = $securitypolicy['csp_policy'];
+        $referer = $securitypolicy['referer_policy'];
+        $response->headers->set("Content-Security-Policy", $csp);
+        $response->headers->set("Referrer-Policy", $referer);
+    }
+
+    public static function getSubscribedEvents()
+    {
+        return [
+            KernelEvents::RESPONSE => 'onResponse'
+        ];
+    }
+}
\ No newline at end of file