Skip to content

Commit

Permalink
Send security headers by default, closes #279
Browse files Browse the repository at this point in the history
  • Loading branch information
g105b committed Jul 23, 2019
1 parent 58f23b9 commit 86ff1ea
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
3 changes: 3 additions & 0 deletions config.default.ini
Original file line number Diff line number Diff line change
Expand Up @@ -17,3 +17,6 @@ query_directory=query
migration_path=_migration
migration_table=_migration
query_path=query

[security]
default_headers="X-Content-Type-Options: nosniff; X-Frame-Options: deny; Content-Security-Policy: default-src 'none'"
14 changes: 14 additions & 0 deletions src/Lifecycle.php
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ public function start():void {
])
);

$this->defaultSecurityHeaders($config->get("security.default_headers"));

$input = new Input($_GET, $_POST, $_FILES);
$cookie = new CookieHandler($_COOKIE);

Expand Down Expand Up @@ -123,6 +125,18 @@ public function start():void {
$this->finish($response);
}

/**
* Set some sensible security headers by default. These can be
* overridden/disabled in the project's config.ini, but it makes sense
* to supply them by default in order to protect user applications
* without the explicit need for security configuration.
*/
public function defaultSecurityHeaders(string $headersString) {
foreach(explode(";", $headersString) as $header) {
header(trim($header));
}
}

/**
* By default, PHP passes all sensitive user information around in global variables,
* available for reading and modification in any code, including third party libraries.
Expand Down

0 comments on commit 86ff1ea

Please sign in to comment.