Add security headers to the default response #110
Conversation
xh3n1
force-pushed
the
set-header
branch
2 times, most recently
from
0727e1e to
f05824c
Compare
| * | ||
| * @return Response | ||
| */ | ||
| public function createResponse(ViewHandler $handler, View $view, Request $request, $format) |
There was a problem hiding this comment.
Can we cover this with an integration test?
There was a problem hiding this comment.
We can have the string type hinting for the parameter.
composer.json
Outdated
| @@ -128,6 +128,9 @@ | |||
| "messages": { | |||
| "Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException": true | |||
| } | |||
| }, | |||
| "service": { | |||
| "view_handler": "my.secure_view_handler" | |||
|
|
|||
There was a problem hiding this comment.
Please let's drop this empty line.
|
@oliverklee Thank you for the review 😄 |
xh3n1
changed the title
.travis.yml
Outdated
| - > | ||
| echo; | ||
| echo "Running the system tests"; | ||
| vendor/bin/phpunit tests/System/; |
There was a problem hiding this comment.
@xh3n1 Thanks for the change.
I'd like to stick to the "one change/topic per PR" policy. Could you please move this to a separate PR? This will keep the history (and git blame) clean and allow for clean reverts if needed. Thanks!
There was a problem hiding this comment.
@oliverklee Thanks, I added it as a separate PR.
xh3n1
changed the title
config/services.yml
Outdated
| my.secure_view_handler: | ||
| parent: fos_rest.view_handler.default | ||
| calls: | ||
| - ['registerHandler', [ 'json', ["@my.secure_handler", 'createResponse'] ] ] |
There was a problem hiding this comment.
Please let's unify this to always use single quotes unless the double quotes are required here.
| { | ||
| $view->setHeaders([ | ||
| 'X-Content-Type-Options' => 'nosniff', | ||
| 'Content-Security-Policy' => "default-src 'none'", |
There was a problem hiding this comment.
Would it also work to switch the single and double quotes here?
| */ | ||
| class SecuredViewHandler | ||
| { | ||
|
|
There was a problem hiding this comment.
Please let's drop the blank line here.
|
|
||
| /** | ||
| * This class is used to add headers to the default response. | ||
| * @author Xheni Myrtaj <xheni@phplist.com> . |
There was a problem hiding this comment.
Let's polish this: :-)
Could you please add a blank line above the @author line and drop the period at the end of the @author line?
| */ | ||
| public function createResponse(ViewHandler $handler, View $view, Request $request, string $format) | ||
| { | ||
| $view->setHeaders([ |
There was a problem hiding this comment.
Please let's put the [ and ] on separate lines. This will avoid formatting changes when using the PhpStorm autoformat or the php-cs-fixer.
| @@ -0,0 +1,70 @@ | |||
| <?php | |||
| declare(strict_types=1); | |||
| namespace PhpList\RestBundle\Tests\System\Controller; | |||
There was a problem hiding this comment.
To keep things consistent, please let's have a blank line between the declare line and the namespace section.
| * Test for security headers | ||
| * @author Xheni Myrtaj <xheni@phplist.com> | ||
| * | ||
| * |
There was a problem hiding this comment.
Please let's remove the blank lines.
|
|
||
| /** | ||
| * Test for security headers | ||
| * @author Xheni Myrtaj <xheni@phplist.com> |
There was a problem hiding this comment.
For consistency, please let's have a blank line above the @author line.
| */ | ||
| class SecuredViewHandlerTest extends TestCase | ||
| { | ||
|
|
There was a problem hiding this comment.
Please let's drop the blank line. (In general, there should be no blank line below a { or above a }.)
| $expectedHeaders = [ | ||
| 'X-Content-Type-Options' => 'nosniff', | ||
| 'Content-Security-Policy' => "default-src 'none'", | ||
| 'X-Frame-Options' => 'DENY' |
There was a problem hiding this comment.
Please let's have a comma after the last array element.
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
|
Thanks for the review @oliverklee I applied the requested coding style and rebased to master. I hope that I didn't miss anything. Just a question about changelog.md, under which release should I add the changes? |
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Under "x.y.z (next release)", please. |
| * | ||
| * @return Response | ||
| */ | ||
| public function createResponse(ViewHandler $handler, View $view, Request $request, string $format) |
There was a problem hiding this comment.
Would it work to have Response as a return type declaration?
|
ok thanks @oliverklee , I will create another PR for that. |
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Optimally, the changelog entry for a PR should be part of the same PR. |
Signed-off-by: Xheni Myrtaj <myrtajxheni@gmail.com>
Added security headers such as:
Fix #111