Issues in SecurityHeaders.php (main) - Issues in main - fisharebest/webtrees - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2559)

app/Http/Middleware/SecurityHeaders.php (1 issue)

Labels

Bug 1

Severity

Major 1

<?php

/**
 * webtrees: online genealogy
 * Copyright (C) 2025 webtrees development team
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <https://www.gnu.org/licenses/>.
 */

declare(strict_types=1);

namespace Fisharebest\Webtrees\Http\Middleware;

use Fisharebest\Webtrees\Validator;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;

/**
 * Middleware to set security-related HTTP headers.
 */
class SecurityHeaders implements MiddlewareInterface
{
    private const array SECURITY_HEADERS = [

        'Permissions-Policy'     => 'browsing-topics=()',
        'Referrer-Policy'        => 'same-origin',
        'X-Content-Type-Options' => 'nosniff',
        'X-Frame-Options'        => 'SAMEORIGIN',
        'X-XSS-Protection'       => '1; mode=block',
    ];

    /**
     * @param ServerRequestInterface  $request
     * @param RequestHandlerInterface $handler
     *
     * @return ResponseInterface
     */
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $response = $handler->handle($request);

        foreach (self::SECURITY_HEADERS as $header_name => $header_value) {
            // Don't overwrite existing headers.
            if ($response->getHeader($header_name) === []) {
                $response = $response->withHeader($header_name, $header_value);
            }
        }

        $base_url = Validator::attributes($request)->string('base_url');

        if (str_starts_with($base_url, 'https://') && $response->getHeader('Strict-Transport-Security') === []) {
            $response = $response->withHeader('Strict-Transport-Security', 'max-age=31536000');
        }

        return $response;
    }
}


1			<?php
2
3			/**
4			* webtrees: online genealogy
5			* Copyright (C) 2025 webtrees development team
6			* This program is free software: you can redistribute it and/or modify
7			* it under the terms of the GNU General Public License as published by
8			* the Free Software Foundation, either version 3 of the License, or
9			* (at your option) any later version.
10			* This program is distributed in the hope that it will be useful,
11			* but WITHOUT ANY WARRANTY; without even the implied warranty of
12			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13			* GNU General Public License for more details.
14			* You should have received a copy of the GNU General Public License
15			* along with this program. If not, see <https://www.gnu.org/licenses/>.
16			*/
17
18			declare(strict_types=1);
19
20			namespace Fisharebest\Webtrees\Http\Middleware;
21
22			use Fisharebest\Webtrees\Validator;
23			use Psr\Http\Message\ResponseInterface;
24			use Psr\Http\Message\ServerRequestInterface;
25			use Psr\Http\Server\MiddlewareInterface;
26			use Psr\Http\Server\RequestHandlerInterface;
27
28			/**
29			* Middleware to set security-related HTTP headers.
30			*/
31			class SecurityHeaders implements MiddlewareInterface
32			{
33			private const array SECURITY_HEADERS = [
			0 ignored issues – show Bug introduced 2024-11-23 00:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this A parse error occurred: Syntax error, unexpected T_STRING, expecting '=' on line 33 at column 24 Loading history...
34			'Permissions-Policy' => 'browsing-topics=()',
35			'Referrer-Policy' => 'same-origin',
36			'X-Content-Type-Options' => 'nosniff',
37			'X-Frame-Options' => 'SAMEORIGIN',
38			'X-XSS-Protection' => '1; mode=block',
39			];
40
41			/**
42			* @param ServerRequestInterface $request
43			* @param RequestHandlerInterface $handler
44			*
45			* @return ResponseInterface
46			*/
47			public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
48			{
49			$response = $handler->handle($request);
50
51			foreach (self::SECURITY_HEADERS as $header_name => $header_value) {
52			// Don't overwrite existing headers.
53			if ($response->getHeader($header_name) === []) {
54			$response = $response->withHeader($header_name, $header_value);
55			}
56			}
57
58			$base_url = Validator::attributes($request)->string('base_url');
59
60			if (str_starts_with($base_url, 'https://') && $response->getHeader('Strict-Transport-Security') === []) {
61			$response = $response->withHeader('Strict-Transport-Security', 'max-age=31536000');
62			}
63
64			return $response;
65			}
66			}
67

fisharebest / webtrees

Issues (2559)

app/Http/Middleware/SecurityHeaders.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like