-
-
Notifications
You must be signed in to change notification settings - Fork 2
/
index.php
117 lines (114 loc) · 4.23 KB
/
index.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
<?php
use Bnomei\SecurityHeaders;
@include_once __DIR__ . '/vendor/autoload.php';
Kirby::plugin('bnomei/securityheaders', [
'options' => [
'enabled' => null, // null => disable in panel and api
'seed' => function () {
return Url::stripPath(site()->url());
},
'headers' => [
"X-Powered-By" => "", // unset
"X-Frame-Options" => "DENY",
"X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff",
"strict-transport-security" => "max-age=31536000; includeSubdomains; preload",
"Referrer-Policy" => "no-referrer-when-downgrade",
"Permissions-Policy" => 'interest-cohort=()', // flock-off
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
"Feature-Policy" => [
"accelerometer 'none'",
"ambient-light-sensor 'none'",
"autoplay 'none'",
"battery 'none'",
"camera 'none'",
"display-capture 'none'",
"document-domain 'none'",
"encrypted-media 'none'",
"execution-while-not-rendered 'none'",
"execution-while-out-of-viewport 'none'",
"fullscreen 'none'",
"geolocation 'none'",
"gyroscope 'none'",
"layout-animations 'none'",
"legacy-image-formats 'none'",
"magnetometer 'none'",
"microphone 'none'",
"midi 'none'",
"navigation-override 'none'",
"oversized-images 'none'",
"payment 'none'",
"picture-in-picture 'none'",
"publickey-credentials 'none'",
"sync-xhr 'none'",
"usb 'none'",
"wake-lock 'none'",
"xr-spatial-tracking 'none'",
],
],
'loader' => function () {
// https://github.com/paragonie/csp-builder#example
// null if you do NOT want to use default and/or just the setter
/*
return null;
*/
// return path of file (json or yaml)
// or an array of options for the cspbuilder
/*
return [...];
return kirby()->roots()->site() . '/your-csp.json';
return kirby()->roots()->site() . '/your-csp.yml';
*/
// otherwise forward the default file from this plugin
return __DIR__ . '/loader.json';
},
'setter' => function (SecurityHeaders $instance): void {
// https://github.com/paragonie/csp-builder#build-a-content-security-policy-programmatically
/*
$csp = $instance->csp();
$nonce = $instance->setNonce('my-inline-script');
$csp->nonce('script-src', $nonce);
*/
// in your template retrieve it again with
/*
$nonce = $page->nonce('my-inline-script');
=> `THIS-IS-THE-NONCE`
$attr = $page->nonceAttr('my-inline-script');
=> `nonce="THIS-IS-THE-NONCE"`
*/
},
],
'hooks' => [
'route:before' => function (): void {
SecurityHeaders::singleton()->sendHeaders();
},
],
'pageMethods' => [
'nonce' => function (string $key): ?string {
return SecurityHeaders::singleton()->getNonce($key);
},
'nonceAttr' => function (string $key): string {
return implode(
[
'nonce="',
SecurityHeaders::singleton()->getNonce($key),
'"',
]
);
},
],
'siteMethods' => [
'nonce' => function (): ?string {
return SecurityHeaders::singleton()->getNonce(Url::stripPath(site()->url()));
},
'nonceAttr' => function (): string {
return implode(
[
'nonce="',
SecurityHeaders::singleton()->getNonce(Url::stripPath(site()->url())),
'"',
]
);
},
],
]);