-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathCustomSecureHeaders.php
122 lines (103 loc) · 3.75 KB
/
CustomSecureHeaders.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
<?php
class CustomSecureHeaders extends SecureHeaders{
public $style_nonce;
public $script_nonce;
public function __construct()
{
# implicitly call $this->done() on first byte of output
$this->done_on_output();
// $this->stop_done_on_output();
# content headers
$this->header('Content-type', 'text/html; charset=utf-8');
# redirect to www subdomain if not on localhost
$this->www_if_not_localhost();
# add a csp policy, as specified in $base, defined below
$this->csp($this->base);
# generate nonces for script-src and style-src directives, and
# store the nonces in public variables for use in script
$this->style_nonce = $this->csp_nonce('style');
$this->script_nonce = $this->csp_nonce('script');
# whitelist a css snippet in the style-src directive
$style = 'body {background: black;}';
$this->csp_hash('style', $style);
# add csp reporting
$this->csp('report', 'https://report-uri.example.com/csp');
$this->csp('script', 'http://my.cdn.org');
# add some cookies
setcookie('auth1', 'not a secret');
setcookie('sId', 'secret');
$this->remove_protected_cookie_substring('auth');
setcookie('sess1', 'secret');
setcookie('notasessioncookie', 'not a secret');
$this->remove_protected_cookie_substring('sess');
$this->add_protected_cookie_name('sess1');
setcookie('preference', 'not a secret');
setcookie('another-preference', 'not a secret', 10, '/', null, true, false);
# add a hpkp policy
$this->hpkp(
array(
'pin1',
['pin2', 'sha256'],
['sha256', 'pin3'],
['pin4']
),
1500,
1
);
# use regular PHP function to add strict transport security
header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');
# enable safe-mode, which should auto-modify the above header
# safe-mode will generate an error of level E_USER_NOTICE if it has to modify any headers
$this->safe_mode();
# uncomment the next line to allow HSTS in safe mode
// $this->safe_mode_exception('Strict-Transport-Security');
}
public function www_if_not_localhost()
{
if ($_SERVER['SERVER_NAME'] !== 'localhost' and substr($_SERVER['HTTP_HOST'], 0, 4) !== 'www.')
{
$this->add_header('HTTP/1.1 301 Moved Permanently');
$this->add_header('Location', 'https://www.'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
}
}
private $base = array(
"default-src" => ["'self'"],
"script-src" => [
"'self'",
"https://www.google-analytics.com/"
],
"style-src" => [
"'self'",
"https://fonts.googleapis.com/",
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/"
],
"img-src" => [
"'self'",
"https://www.google-analytics.com/",
],
"font-src" => [
"'self'",
"https://fonts.googleapis.com/",
"https://fonts.gstatic.com/",
"https://cdnjs.cloudflare.com/ajax/libs/font-awesome/"
],
"child-src" => [
"'self'"
],
"frame-src" => [
"'self'"
],
"base-uri" => ["'self'"],
"connect-src" => [
"'self'",
"https://www.google-analytics.com/r/collect"
],
"form-action" => [
"'self'"
],
"frame-ancestors" => ["'none'"],
"object-src" => ["'none'"],
'block-all-mixed-content' => [null]
);
}
?>