Issues in SecurityHeadersMiddleware.php (main) - Issues in main - jidaikobo-shibata/kontiki-framework - Measure and Improve Code Quality continuously with Scrutinizer

Issues (121)

src/Middleware/SecurityHeadersMiddleware.php (1 issue)

Labels

Severity

Major 1

<?php

namespace Jidaikobo\Kontiki\Middleware;

use Psr\Http\Message\ResponseInterface as Response;
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;

class SecurityHeadersMiddleware implements MiddlewareInterface
{
    /**
     * Process an incoming server request and apply security headers.
     *
     * @param  Request                 $request
     * @param  RequestHandlerInterface $handler
     * @return Response
     */
    public function process(Request $request, RequestHandlerInterface $handler): Response
    {
        // Delegate the request to the next middleware or controller
        $response = $handler->handle($request);

        // ホスト名を取得
        $host = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443)
            ? 'https://' . ($_SERVER['HTTP_HOST'] ?? ($_SERVER['SERVER_NAME'] ?? 'localhost'))
            : 'http://' . ($_SERVER['HTTP_HOST'] ?? ($_SERVER['SERVER_NAME'] ?? 'localhost'));

        // Add security headers
        $headers = [
            "Content-Security-Policy" => "default-src 'self'; " .
                "script-src 'self' https://cdn.jsdelivr.net https://code.jquery.com; " .
                "style-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; " .
                "font-src 'self' https://cdnjs.cloudflare.com; " .
                "img-src 'self' data:; " .
                "connect-src 'self'; " .
                "frame-src 'self';",
            "Strict-Transport-Security" => "max-age=31536000; includeSubDomains",
            "X-Content-Type-Options" => "nosniff",
            "Referrer-Policy" => "no-referrer-when-downgrade",
            "X-XSS-Protection" => "1; mode=block",
            "Permissions-Policy" => "geolocation=(), microphone=(), camera=()",
            "X-Frame-Options" => "SAMEORIGIN",
            "Access-Control-Allow-Origin" => $host,
        ];

        foreach ($headers as $key => $value) {
            $response = $response->withHeader($key, $value);
        }

        return $response;

    }
}


1			<?php
2
3			namespace Jidaikobo\Kontiki\Middleware;
4
5			use Psr\Http\Message\ResponseInterface as Response;
6			use Psr\Http\Message\ServerRequestInterface as Request;
7			use Psr\Http\Server\MiddlewareInterface;
8			use Psr\Http\Server\RequestHandlerInterface;
9
10			class SecurityHeadersMiddleware implements MiddlewareInterface
11			{
12			/**
13			* Process an incoming server request and apply security headers.
14			*
15			* @param Request $request
16			* @param RequestHandlerInterface $handler
17			* @return Response
18			*/
19			public function process(Request $request, RequestHandlerInterface $handler): Response
20			{
21			// Delegate the request to the next middleware or controller
22			$response = $handler->handle($request);
23
24			// ホスト名を取得
25			$host = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' \|\| $_SERVER['SERVER_PORT'] == 443)
26			? 'https://' . ($_SERVER['HTTP_HOST'] ?? ($_SERVER['SERVER_NAME'] ?? 'localhost'))
27			: 'http://' . ($_SERVER['HTTP_HOST'] ?? ($_SERVER['SERVER_NAME'] ?? 'localhost'));
28
29			// Add security headers
30			$headers = [
31			"Content-Security-Policy" => "default-src 'self'; " .
32			"script-src 'self' https://cdn.jsdelivr.net https://code.jquery.com; " .
33			"style-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; " .
34			"font-src 'self' https://cdnjs.cloudflare.com; " .
35			"img-src 'self' data:; " .
36			"connect-src 'self'; " .
37			"frame-src 'self';",
38			"Strict-Transport-Security" => "max-age=31536000; includeSubDomains",
39			"X-Content-Type-Options" => "nosniff",
40			"Referrer-Policy" => "no-referrer-when-downgrade",
41			"X-XSS-Protection" => "1; mode=block",
42			"Permissions-Policy" => "geolocation=(), microphone=(), camera=()",
43			"X-Frame-Options" => "SAMEORIGIN",
44			"Access-Control-Allow-Origin" => $host,
45			];
46
47			foreach ($headers as $key => $value) {
48			$response = $response->withHeader($key, $value);
49			}
50
51			return $response;
			0 ignored issues – show Bug Best Practice introduced 2024-12-30 03:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return $response` could return the type `Psr\Http\Message\MessageInterface` which includes types incompatible with the type-hinted return `Psr\Http\Message\ResponseInterface`. Consider adding an additional type-check to rule them out. Loading history...
52			}
53			}
54

jidaikobo-shibata / kontiki-framework

Issues (121)

src/Middleware/SecurityHeadersMiddleware.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like