diff --git a/composer.json b/composer.json index 2bb0308..e987cc8 100644 --- a/composer.json +++ b/composer.json @@ -15,6 +15,7 @@ "doctrine/doctrine-migrations-bundle": "^3.2", "doctrine/orm": "^2.15", "guzzlehttp/guzzle": "^7.7", + "nelmio/security-bundle": "^3.0", "phpseclib/phpseclib": "^3.0", "scienta/doctrine-json-functions": "^5.3", "symfony/console": "^6.3", diff --git a/composer.lock b/composer.lock index 82d1dba..ed68550 100644 --- a/composer.lock +++ b/composer.lock @@ -4,8 +4,84 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "9561d8eb11d0593a60c3f4e664bb727f", + "content-hash": "dae2b5d4b529b83d11b206b565bec8a6", "packages": [ + { + "name": "composer/ca-bundle", + "version": "1.3.6", + "source": { + "type": "git", + "url": "https://github.com/composer/ca-bundle.git", + "reference": "90d087e988ff194065333d16bc5cf649872d9cdb" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/composer/ca-bundle/zipball/90d087e988ff194065333d16bc5cf649872d9cdb", + "reference": "90d087e988ff194065333d16bc5cf649872d9cdb", + "shasum": "" + }, + "require": { + "ext-openssl": "*", + "ext-pcre": "*", + "php": "^5.3.2 || ^7.0 || ^8.0" + }, + "require-dev": { + "phpstan/phpstan": "^0.12.55", + "psr/log": "^1.0", + "symfony/phpunit-bridge": "^4.2 || ^5", + "symfony/process": "^2.5 || ^3.0 || ^4.0 || ^5.0 || ^6.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-main": "1.x-dev" + } + }, + "autoload": { + "psr-4": { + "Composer\\CaBundle\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Jordi Boggiano", + "email": "j.boggiano@seld.be", + "homepage": "http://seld.be" + } + ], + "description": "Lets you find a path to the system CA bundle, and includes a fallback to the Mozilla CA bundle.", + "keywords": [ + "cabundle", + "cacert", + "certificate", + "ssl", + "tls" + ], + "support": { + "irc": "irc://irc.freenode.org/composer", + "issues": "https://github.com/composer/ca-bundle/issues", + "source": "https://github.com/composer/ca-bundle/tree/1.3.6" + }, + "funding": [ + { + "url": "https://packagist.com", + "type": "custom" + }, + { + "url": "https://github.com/composer", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/composer/composer", + "type": "tidelift" + } + ], + "time": "2023-06-06T12:02:59+00:00" + }, { "name": "doctrine/cache", "version": "2.2.0", @@ -1856,6 +1932,79 @@ ], "time": "2023-05-14T12:05:38+00:00" }, + { + "name": "nelmio/security-bundle", + "version": "v3.0.0", + "source": { + "type": "git", + "url": "https://github.com/nelmio/NelmioSecurityBundle.git", + "reference": "34699d40d81b58b6bd256e34489c799620dff2a4" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/nelmio/NelmioSecurityBundle/zipball/34699d40d81b58b6bd256e34489c799620dff2a4", + "reference": "34699d40d81b58b6bd256e34489c799620dff2a4", + "shasum": "" + }, + "require": { + "php": "^7.4 || ^8.0", + "symfony/framework-bundle": "^4.4 || ^5.4 || ^6.0", + "symfony/http-kernel": "^4.4 || ^5.4 || ^6.0", + "symfony/security-core": "^4.4 || ^5.4 || ^6.0", + "symfony/security-csrf": "^4.4 || ^5.4 || ^6.0", + "symfony/security-http": "^4.4 || ^5.4 || ^6.0", + "symfony/yaml": "^4.4 || ^5.4 || ^6.0", + "ua-parser/uap-php": "^3.4.4" + }, + "require-dev": { + "phpstan/phpstan": "^1.4", + "phpstan/phpstan-deprecation-rules": "^1.0", + "phpstan/phpstan-phpunit": "^1.0", + "phpstan/phpstan-strict-rules": "^1.1", + "phpstan/phpstan-symfony": "^1.1", + "phpunit/phpunit": "^9.5", + "psr/cache": "^1.0 || ^2.0 || ^3.0", + "symfony/browser-kit": "^4.4 || ^5.4 || ^6.0", + "symfony/cache": "^4.4 || ^5.4 || ^6.0", + "symfony/phpunit-bridge": "^6.0", + "symfony/twig-bundle": "^4.4 || ^5.4 || ^6.0", + "twig/twig": "^2.10 || ^3.0" + }, + "type": "symfony-bundle", + "extra": { + "branch-alias": { + "dev-master": "3.x-dev" + } + }, + "autoload": { + "psr-4": { + "Nelmio\\SecurityBundle\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Nelmio", + "homepage": "http://nelm.io" + }, + { + "name": "Symfony Community", + "homepage": "https://github.com/nelmio/NelmioSecurityBundle/contributors" + } + ], + "description": "Extra security-related features for Symfony: signed/encrypted cookies, HTTPS/SSL/HSTS handling, cookie session storage, ...", + "keywords": [ + "security" + ], + "support": { + "issues": "https://github.com/nelmio/NelmioSecurityBundle/issues", + "source": "https://github.com/nelmio/NelmioSecurityBundle/tree/v3.0.0" + }, + "time": "2022-03-17T07:30:15+00:00" + }, { "name": "paragonie/constant_time_encoding", "version": "v2.6.3", @@ -6761,6 +6910,69 @@ } ], "time": "2023-06-08T12:52:13+00:00" + }, + { + "name": "ua-parser/uap-php", + "version": "v3.9.14", + "source": { + "type": "git", + "url": "https://github.com/ua-parser/uap-php.git", + "reference": "b796c5ea5df588e65aeb4e2c6cce3811dec4fed6" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/ua-parser/uap-php/zipball/b796c5ea5df588e65aeb4e2c6cce3811dec4fed6", + "reference": "b796c5ea5df588e65aeb4e2c6cce3811dec4fed6", + "shasum": "" + }, + "require": { + "composer/ca-bundle": "^1.1", + "php": "^7.2 || ^8.0" + }, + "require-dev": { + "phpstan/phpstan": "^0.12.33", + "phpunit/phpunit": "^8 || ^9", + "symfony/console": "^3.4 || ^4.2 || ^4.3 || ^5.0", + "symfony/filesystem": "^3.4 || ^4.2 || ^4.3 || ^5.0", + "symfony/finder": "^3.4 || ^4.2 || ^4.3 || ^5.0", + "symfony/yaml": "^3.4 || ^4.2 || ^4.3 || ^5.0", + "vimeo/psalm": "^3.12" + }, + "suggest": { + "symfony/console": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0", + "symfony/filesystem": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0", + "symfony/finder": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0", + "symfony/yaml": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0" + }, + "bin": [ + "bin/uaparser" + ], + "type": "library", + "autoload": { + "psr-4": { + "UAParser\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Dave Olsen", + "email": "dmolsen@gmail.com" + }, + { + "name": "Lars Strojny", + "email": "lars@strojny.net" + } + ], + "description": "A multi-language port of Browserscope's user agent parser.", + "support": { + "issues": "https://github.com/ua-parser/uap-php/issues", + "source": "https://github.com/ua-parser/uap-php/tree/v3.9.14" + }, + "time": "2020-10-02T23:36:20+00:00" } ], "packages-dev": [ diff --git a/config/bundles.php b/config/bundles.php index 065fc99..ef562e5 100644 --- a/config/bundles.php +++ b/config/bundles.php @@ -11,4 +11,5 @@ return [ Symfony\Bundle\MonologBundle\MonologBundle::class => ['all' => true], Symfony\Bundle\DebugBundle\DebugBundle::class => ['dev' => true], Symfony\WebpackEncoreBundle\WebpackEncoreBundle::class => ['all' => true], + Nelmio\SecurityBundle\NelmioSecurityBundle::class => ['all' => true], ]; diff --git a/config/packages/nelmio_security.yaml b/config/packages/nelmio_security.yaml new file mode 100644 index 0000000..4ebac3c --- /dev/null +++ b/config/packages/nelmio_security.yaml @@ -0,0 +1,64 @@ +nelmio_security: + # prevents framing of the entire site + clickjacking: + paths: + '^/.*': DENY + + # disables content type sniffing for script resources + content_type: + nosniff: true + + # forces Microsoft's XSS-Protection with + # its block mode + xss_protection: + enabled: true + mode_block: true + + # Send a full URL in the `Referer` header when performing a same-origin request, + # only send the origin of the document to secure destination (HTTPS->HTTPS), + # and send no header to a less secure destination (HTTPS->HTTP). + # If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy, + # no referrer information is sent along with requests. + referrer_policy: + enabled: true + policies: + - 'no-referrer' + - 'strict-origin-when-cross-origin' + csp: + enabled: true + report_logger_service: logger + hosts: [] + content_types: [] + enforce: + # see full description below + level1_fallback: true + # only send directives supported by the browser, defaults to false + # this is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97 + browser_adaptive: + enabled: false + report-uri: '%router.request_context.base_url%/nelmio/csp/report' + default-src: + - 'none' + script-src: + - 'self' + font-src: + - 'self' + style-src: + - 'self' + img-src: + - 'self' + - 'data:' + connect-src: + - 'self' + block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport + # upgrade-insecure-requests: true # defaults to false, upgrades HTTP requests to HTTPS transport + report: + # see full description below + level1_fallback: true + # only send directives supported by the browser, defaults to false + # this is a port of https://github.com/twitter/secureheaders/blob/83a564a235c8be1a8a3901373dbc769da32f6ed7/lib/secure_headers/headers/policy_management.rb#L97 + browser_adaptive: + enabled: true + report-uri: '%router.request_context.base_url%/nelmio/csp/report' + script-src: + - 'self' \ No newline at end of file diff --git a/config/services.yaml b/config/services.yaml index eef876a..c4f682d 100644 --- a/config/services.yaml +++ b/config/services.yaml @@ -8,9 +8,6 @@ parameters: en: 'English' nl: 'Nederlands' leet: 'L33tsp34k' - security: - csp_policy: "default-src 'none'; font-src 'self' data:; style-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; form-action 'self'; require-trusted-types-for 'script'; frame-ancestors 'none'; base-uri 'none'" - referer_policy: "same-origin" services: # default configuration for services in *this* file diff --git a/src/EventSubscriber/SecurityHeadersSubscriber.php b/src/EventSubscriber/SecurityHeadersSubscriber.php deleted file mode 100644 index 9bd80d6..0000000 --- a/src/EventSubscriber/SecurityHeadersSubscriber.php +++ /dev/null @@ -1,35 +0,0 @@ -params = $params; - } - - public function onResponse(ResponseEvent $event) - { - $response = $event->getResponse(); - $securitypolicy = $this->params->get('security'); - $csp = $securitypolicy['csp_policy']; - $referer = $securitypolicy['referer_policy']; - $response->headers->set("Content-Security-Policy", $csp); - $response->headers->set("Referrer-Policy", $referer); - } - - public static function getSubscribedEvents() - { - return [ - KernelEvents::RESPONSE => 'onResponse' - ]; - } -} \ No newline at end of file diff --git a/symfony.lock b/symfony.lock index 721c41a..2597d2a 100644 --- a/symfony.lock +++ b/symfony.lock @@ -95,6 +95,18 @@ "monolog/monolog": { "version": "2.5.0" }, + "nelmio/security-bundle": { + "version": "3.0", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "main", + "version": "2.4", + "ref": "65726efb67ff51d89de38195bc0d230fa811f64d" + }, + "files": [ + "config/packages/nelmio_security.yaml" + ] + }, "nikic/php-parser": { "version": "v4.13.2" },