mirror of
https://github.com/pterodactyl/panel.git
synced 2026-04-12 06:03:42 -05:00
14185a9430
Very minor changes, just adding some default headers in the event people don't configure this on their webserver. Also updating some packages to resolve open security alerts.
44 lines
1.3 KiB
PHP
44 lines
1.3 KiB
PHP
<?php
|
|
|
|
namespace Pterodactyl\Http\Middleware;
|
|
|
|
use Illuminate\Http\Request;
|
|
|
|
class SetSecurityHeaders
|
|
{
|
|
/**
|
|
* Ideally we move away from X-Frame-Options/X-XSS-Protection and implement a
|
|
* proper standard CSP, but I can guarantee that will break for a lot of folks
|
|
* using custom plugins and who knows what image embeds.
|
|
*
|
|
* We'll circle back to that at a later date when it can be more fully controlled
|
|
* by the admin to support those cases without too much trouble.
|
|
*/
|
|
private static array $headers = [
|
|
'X-Frame-Options' => 'DENY',
|
|
'X-Content-Type-Options' => 'nosniff',
|
|
'X-XSS-Protection' => '1; mode=block',
|
|
'Referrer-Policy' => 'no-referrer-when-downgrade',
|
|
];
|
|
|
|
/**
|
|
* Enforces some basic security headers on all responses returned by the software.
|
|
* If a header has already been set in another location within the code it will be
|
|
* skipped over here.
|
|
*
|
|
* @param (\Closure(mixed): \Illuminate\Http\Response) $next
|
|
*/
|
|
public function handle(Request $request, \Closure $next): mixed
|
|
{
|
|
$response = $next($request);
|
|
|
|
foreach (static::$headers as $key => $value) {
|
|
if (! $response->headers->has($key)) {
|
|
$response->headers->set($key, $value);
|
|
}
|
|
}
|
|
|
|
return $response;
|
|
}
|
|
}
|