feat: Add nelmio/security-bundle

This commit adds the nelmio/security-bundle to the composer.json file. The bundle provides extra security-related features for Symfony, such as signed/encrypted cookies, HTTPS/SSL/HSTS handling, and cookie session storage.
This commit is contained in:
Jeroen De Meerleer 2023-07-13 14:11:46 +02:00
parent 06c6f0a659
commit 449af1be8e
Signed by: JeroenED
GPG Key ID: 28CCCB8F62BFADD6
7 changed files with 291 additions and 39 deletions

View File

@ -15,6 +15,7 @@
"doctrine/doctrine-migrations-bundle": "^3.2",
"doctrine/orm": "^2.15",
"guzzlehttp/guzzle": "^7.7",
"nelmio/security-bundle": "^3.0",
"phpseclib/phpseclib": "^3.0",
"scienta/doctrine-json-functions": "^5.3",
"symfony/console": "^6.3",

214
composer.lock generated
View File

@ -4,8 +4,84 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "9561d8eb11d0593a60c3f4e664bb727f",
"content-hash": "dae2b5d4b529b83d11b206b565bec8a6",
"packages": [
{
"name": "composer/ca-bundle",
"version": "1.3.6",
"source": {
"type": "git",
"url": "https://github.com/composer/ca-bundle.git",
"reference": "90d087e988ff194065333d16bc5cf649872d9cdb"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/composer/ca-bundle/zipball/90d087e988ff194065333d16bc5cf649872d9cdb",
"reference": "90d087e988ff194065333d16bc5cf649872d9cdb",
"shasum": ""
},
"require": {
"ext-openssl": "*",
"ext-pcre": "*",
"php": "^5.3.2 || ^7.0 || ^8.0"
},
"require-dev": {
"phpstan/phpstan": "^0.12.55",
"psr/log": "^1.0",
"symfony/phpunit-bridge": "^4.2 || ^5",
"symfony/process": "^2.5 || ^3.0 || ^4.0 || ^5.0 || ^6.0"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-main": "1.x-dev"
}
},
"autoload": {
"psr-4": {
"Composer\\CaBundle\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Jordi Boggiano",
"email": "j.boggiano@seld.be",
"homepage": "http://seld.be"
}
],
"description": "Lets you find a path to the system CA bundle, and includes a fallback to the Mozilla CA bundle.",
"keywords": [
"cabundle",
"cacert",
"certificate",
"ssl",
"tls"
],
"support": {
"irc": "irc://irc.freenode.org/composer",
"issues": "https://github.com/composer/ca-bundle/issues",
"source": "https://github.com/composer/ca-bundle/tree/1.3.6"
},
"funding": [
{
"url": "https://packagist.com",
"type": "custom"
},
{
"url": "https://github.com/composer",
"type": "github"
},
{
"url": "https://tidelift.com/funding/github/packagist/composer/composer",
"type": "tidelift"
}
],
"time": "2023-06-06T12:02:59+00:00"
},
{
"name": "doctrine/cache",
"version": "2.2.0",
@ -1856,6 +1932,79 @@
],
"time": "2023-05-14T12:05:38+00:00"
},
{
"name": "nelmio/security-bundle",
"version": "v3.0.0",
"source": {
"type": "git",
"url": "https://github.com/nelmio/NelmioSecurityBundle.git",
"reference": "34699d40d81b58b6bd256e34489c799620dff2a4"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/nelmio/NelmioSecurityBundle/zipball/34699d40d81b58b6bd256e34489c799620dff2a4",
"reference": "34699d40d81b58b6bd256e34489c799620dff2a4",
"shasum": ""
},
"require": {
"php": "^7.4 || ^8.0",
"symfony/framework-bundle": "^4.4 || ^5.4 || ^6.0",
"symfony/http-kernel": "^4.4 || ^5.4 || ^6.0",
"symfony/security-core": "^4.4 || ^5.4 || ^6.0",
"symfony/security-csrf": "^4.4 || ^5.4 || ^6.0",
"symfony/security-http": "^4.4 || ^5.4 || ^6.0",
"symfony/yaml": "^4.4 || ^5.4 || ^6.0",
"ua-parser/uap-php": "^3.4.4"
},
"require-dev": {
"phpstan/phpstan": "^1.4",
"phpstan/phpstan-deprecation-rules": "^1.0",
"phpstan/phpstan-phpunit": "^1.0",
"phpstan/phpstan-strict-rules": "^1.1",
"phpstan/phpstan-symfony": "^1.1",
"phpunit/phpunit": "^9.5",
"psr/cache": "^1.0 || ^2.0 || ^3.0",
"symfony/browser-kit": "^4.4 || ^5.4 || ^6.0",
"symfony/cache": "^4.4 || ^5.4 || ^6.0",
"symfony/phpunit-bridge": "^6.0",
"symfony/twig-bundle": "^4.4 || ^5.4 || ^6.0",
"twig/twig": "^2.10 || ^3.0"
},
"type": "symfony-bundle",
"extra": {
"branch-alias": {
"dev-master": "3.x-dev"
}
},
"autoload": {
"psr-4": {
"Nelmio\\SecurityBundle\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Nelmio",
"homepage": "http://nelm.io"
},
{
"name": "Symfony Community",
"homepage": "https://github.com/nelmio/NelmioSecurityBundle/contributors"
}
],
"description": "Extra security-related features for Symfony: signed/encrypted cookies, HTTPS/SSL/HSTS handling, cookie session storage, ...",
"keywords": [
"security"
],
"support": {
"issues": "https://github.com/nelmio/NelmioSecurityBundle/issues",
"source": "https://github.com/nelmio/NelmioSecurityBundle/tree/v3.0.0"
},
"time": "2022-03-17T07:30:15+00:00"
},
{
"name": "paragonie/constant_time_encoding",
"version": "v2.6.3",
@ -6761,6 +6910,69 @@
}
],
"time": "2023-06-08T12:52:13+00:00"
},
{
"name": "ua-parser/uap-php",
"version": "v3.9.14",
"source": {
"type": "git",
"url": "https://github.com/ua-parser/uap-php.git",
"reference": "b796c5ea5df588e65aeb4e2c6cce3811dec4fed6"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/ua-parser/uap-php/zipball/b796c5ea5df588e65aeb4e2c6cce3811dec4fed6",
"reference": "b796c5ea5df588e65aeb4e2c6cce3811dec4fed6",
"shasum": ""
},
"require": {
"composer/ca-bundle": "^1.1",
"php": "^7.2 || ^8.0"
},
"require-dev": {
"phpstan/phpstan": "^0.12.33",
"phpunit/phpunit": "^8 || ^9",
"symfony/console": "^3.4 || ^4.2 || ^4.3 || ^5.0",
"symfony/filesystem": "^3.4 || ^4.2 || ^4.3 || ^5.0",
"symfony/finder": "^3.4 || ^4.2 || ^4.3 || ^5.0",
"symfony/yaml": "^3.4 || ^4.2 || ^4.3 || ^5.0",
"vimeo/psalm": "^3.12"
},
"suggest": {
"symfony/console": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0",
"symfony/filesystem": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0",
"symfony/finder": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0",
"symfony/yaml": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0"
},
"bin": [
"bin/uaparser"
],
"type": "library",
"autoload": {
"psr-4": {
"UAParser\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Dave Olsen",
"email": "dmolsen@gmail.com"
},
{
"name": "Lars Strojny",
"email": "lars@strojny.net"
}
],
"description": "A multi-language port of Browserscope's user agent parser.",
"support": {
"issues": "https://github.com/ua-parser/uap-php/issues",
"source": "https://github.com/ua-parser/uap-php/tree/v3.9.14"
},
"time": "2020-10-02T23:36:20+00:00"
}
],
"packages-dev": [

View File

@ -11,4 +11,5 @@ return [
Symfony\Bundle\MonologBundle\MonologBundle::class => ['all' => true],
Symfony\Bundle\DebugBundle\DebugBundle::class => ['dev' => true],
Symfony\WebpackEncoreBundle\WebpackEncoreBundle::class => ['all' => true],
Nelmio\SecurityBundle\NelmioSecurityBundle::class => ['all' => true],
];

View File

@ -0,0 +1,64 @@
nelmio_security:
# prevents framing of the entire site
clickjacking:
paths:
'^/.*': DENY
# disables content type sniffing for script resources
content_type:
nosniff: true
# forces Microsoft's XSS-Protection with
# its block mode
xss_protection:
enabled: true
mode_block: true
# Send a full URL in the `Referer` header when performing a same-origin request,
# only send the origin of the document to secure destination (HTTPS->HTTPS),
# and send no header to a less secure destination (HTTPS->HTTP).
# If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy,
# no referrer information is sent along with requests.
referrer_policy:
enabled: true
policies:
- 'no-referrer'
- 'strict-origin-when-cross-origin'
csp:
enabled: true
report_logger_service: logger
hosts: []
content_types: []
enforce:
# see full description below
level1_fallback: true
# only send directives supported by the browser, defaults to false
# this is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97
browser_adaptive:
enabled: false
report-uri: '%router.request_context.base_url%/nelmio/csp/report'
default-src:
- 'none'
script-src:
- 'self'
font-src:
- 'self'
style-src:
- 'self'
img-src:
- 'self'
- 'data:'
connect-src:
- 'self'
block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport
# upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport
report:
# see full description below
level1_fallback: true
# only send directives supported by the browser, defaults to false
# this is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97
browser_adaptive:
enabled: true
report-uri: '%router.request_context.base_url%/nelmio/csp/report'
script-src:
- 'self'

View File

@ -8,9 +8,6 @@ parameters:
en: 'English'
nl: 'Nederlands'
leet: 'L33tsp34k'
security:
csp_policy: "default-src 'none'; font-src 'self' data:; style-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; form-action 'self'; require-trusted-types-for 'script'; frame-ancestors 'none'; base-uri 'none'"
referer_policy: "same-origin"
services:
# default configuration for services in *this* file

View File

@ -1,35 +0,0 @@
<?php
namespace App\EventSubscriber;
use Symfony\Component\DependencyInjection\ParameterBag\ContainerBagInterface;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
class SecurityHeadersSubscriber implements EventSubscriberInterface
{
private $params;
public function __construct(ContainerBagInterface $params)
{
$this->params = $params;
}
public function onResponse(ResponseEvent $event)
{
$response = $event->getResponse();
$securitypolicy = $this->params->get('security');
$csp = $securitypolicy['csp_policy'];
$referer = $securitypolicy['referer_policy'];
$response->headers->set("Content-Security-Policy", $csp);
$response->headers->set("Referrer-Policy", $referer);
}
public static function getSubscribedEvents()
{
return [
KernelEvents::RESPONSE => 'onResponse'
];
}
}

View File

@ -95,6 +95,18 @@
"monolog/monolog": {
"version": "2.5.0"
},
"nelmio/security-bundle": {
"version": "3.0",
"recipe": {
"repo": "github.com/symfony/recipes",
"branch": "main",
"version": "2.4",
"ref": "65726efb67ff51d89de38195bc0d230fa811f64d"
},
"files": [
"config/packages/nelmio_security.yaml"
]
},
"nikic/php-parser": {
"version": "v4.13.2"
},