From 20c92b80dd9174e9fa8954ef5d62b9474f2d6850 Mon Sep 17 00:00:00 2001 From: Arthur Monney Date: Tue, 4 Jul 2023 16:19:44 +0200 Subject: [PATCH 1/3] :lock: Add treblle security headers middleware --- projects/default-graphql/core/Http/Kernel.php | 4 +- projects/default/.env.example | 4 +- projects/default/README.md | 4 +- ...ddleware.php => ContentTypeMiddleware.php} | 10 +- .../Security/XFrameOptionMiddleware.php | 26 +++ projects/default/composer.json | 3 +- projects/default/composer.lock | 158 ++++++------------ projects/default/config/headers.php | 22 +++ projects/default/core/Http/Kernel.php | 18 +- projects/default/stubs/middleware.stub | 5 - 10 files changed, 127 insertions(+), 127 deletions(-) rename projects/default/app/Http/Middleware/{JsonApiResponseMiddleware.php => ContentTypeMiddleware.php} (66%) create mode 100644 projects/default/app/Http/Middleware/Security/XFrameOptionMiddleware.php create mode 100644 projects/default/config/headers.php diff --git a/projects/default-graphql/core/Http/Kernel.php b/projects/default-graphql/core/Http/Kernel.php index b81054a..0170633 100644 --- a/projects/default-graphql/core/Http/Kernel.php +++ b/projects/default-graphql/core/Http/Kernel.php @@ -6,7 +6,7 @@ use App\Http\Middleware\CacheHeaders; use App\Http\Middleware\EnsureEmailIsVerified; -use App\Http\Middleware\JsonApiResponseMiddleware; +use App\Http\Middleware\ContentTypeMiddleware; use App\Http\Middleware\PreventRequestsDuringMaintenance; use App\Http\Middleware\TrimStrings; use App\Http\Middleware\TrustProxies; @@ -37,7 +37,7 @@ final class Kernel extends HttpKernel 'api' => [ ThrottleRequests::class.':api', - JsonApiResponseMiddleware::class, + ContentTypeMiddleware::class, CacheHeaders::class, ], ]; diff --git a/projects/default/.env.example b/projects/default/.env.example index 34cc140..a263ec7 100644 --- a/projects/default/.env.example +++ b/projects/default/.env.example @@ -1,4 +1,4 @@ -APP_NAME=Laravel +APP_NAME="Laravel API Skeleton" APP_ENV=local APP_KEY= APP_DEBUG=true @@ -11,7 +11,7 @@ LOG_LEVEL=debug DB_CONNECTION=mysql DB_HOST=127.0.0.1 DB_PORT=3306 -DB_DATABASE=api_boilerplate_laravel +DB_DATABASE=api DB_USERNAME=root DB_PASSWORD= diff --git a/projects/default/README.md b/projects/default/README.md index 3b2aaf3..76cfff2 100644 --- a/projects/default/README.md +++ b/projects/default/README.md @@ -1,8 +1,8 @@ -# Laravel API Skeleton - Default +# Laravel API Skeleton - Example This project is a skeleton for building an API with Laravel. It is the simplest skeleton and contains only the basic packages to build an API. ## Installation ```bash -composer require laravelcm/api-skeleton-default +composer require laravelcm/api-skeleton ``` diff --git a/projects/default/app/Http/Middleware/JsonApiResponseMiddleware.php b/projects/default/app/Http/Middleware/ContentTypeMiddleware.php similarity index 66% rename from projects/default/app/Http/Middleware/JsonApiResponseMiddleware.php rename to projects/default/app/Http/Middleware/ContentTypeMiddleware.php index 2ee11b9..49da605 100644 --- a/projects/default/app/Http/Middleware/JsonApiResponseMiddleware.php +++ b/projects/default/app/Http/Middleware/ContentTypeMiddleware.php @@ -8,7 +8,7 @@ use Illuminate\Http\Request; use Symfony\Component\HttpFoundation\Response; -final class JsonApiResponseMiddleware +final class ContentTypeMiddleware { public function handle(Request $request, Closure $next): Response { @@ -17,10 +17,10 @@ public function handle(Request $request, Closure $next): Response */ $response = $next($request); - $response->headers->set( - key: 'Content-Type', - values: 'application/vnd.api+json', - ); + $response->headers->add([ + 'Accept' => 'application/json', + 'Content-Type' => 'application/vnd.api+json', + ]); return $response; } diff --git a/projects/default/app/Http/Middleware/Security/XFrameOptionMiddleware.php b/projects/default/app/Http/Middleware/Security/XFrameOptionMiddleware.php new file mode 100644 index 0000000..3494057 --- /dev/null +++ b/projects/default/app/Http/Middleware/Security/XFrameOptionMiddleware.php @@ -0,0 +1,26 @@ +headers->add([ + 'X-Frame-Options' => 'deny', + ]); + + return $response; + } +} diff --git a/projects/default/composer.json b/projects/default/composer.json index 0ab5b1d..216a021 100644 --- a/projects/default/composer.json +++ b/projects/default/composer.json @@ -20,7 +20,8 @@ "laravel/framework": "^10.2", "laravel/sanctum": "^3.2.1", "laravel/tinker": "^2.8.1", - "timacdonald/json-api": "v1.0.0-beta.4" + "timacdonald/json-api": "v1.0.0-beta.4", + "treblle/security-headers": "^0.0.3" }, "require-dev": { "fakerphp/faker": "^1.21.0", diff --git a/projects/default/composer.lock b/projects/default/composer.lock index 110a569..e5ed518 100644 --- a/projects/default/composer.lock +++ b/projects/default/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "5d38c5555ac5c5341dcc9e357be4277e", + "content-hash": "4473fe2b21930ed3ada0aa3450eacc5e", "packages": [ { "name": "brick/math", @@ -2162,16 +2162,16 @@ }, { "name": "nesbot/carbon", - "version": "2.67.0", + "version": "2.68.1", "source": { "type": "git", "url": "https://github.com/briannesbitt/Carbon.git", - "reference": "c1001b3bc75039b07f38a79db5237c4c529e04c8" + "reference": "4f991ed2a403c85efbc4f23eb4030063fdbe01da" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/c1001b3bc75039b07f38a79db5237c4c529e04c8", - "reference": "c1001b3bc75039b07f38a79db5237c4c529e04c8", + "url": "https://api.github.com/repos/briannesbitt/Carbon/zipball/4f991ed2a403c85efbc4f23eb4030063fdbe01da", + "reference": "4f991ed2a403c85efbc4f23eb4030063fdbe01da", "shasum": "" }, "require": { @@ -2260,7 +2260,7 @@ "type": "tidelift" } ], - "time": "2023-05-25T22:09:47+00:00" + "time": "2023-06-20T18:29:04+00:00" }, { "name": "nette/schema", @@ -6249,43 +6249,39 @@ "time": "2023-02-20T08:18:59+00:00" }, { - "name": "treblle/treblle-api-tools-laravel", - "version": "0.0.1", + "name": "treblle/security-headers", + "version": "0.0.3", "source": { "type": "git", - "url": "https://github.com/Treblle/treblle-api-tools-laravel.git", - "reference": "f3661cbb65c94f6cb3e45fd28a32d1629797629e" + "url": "https://github.com/Treblle/security-headers.git", + "reference": "f03729aa31e9f86eb28f839946df2b4e319a0c02" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/Treblle/treblle-api-tools-laravel/zipball/f3661cbb65c94f6cb3e45fd28a32d1629797629e", - "reference": "f3661cbb65c94f6cb3e45fd28a32d1629797629e", + "url": "https://api.github.com/repos/Treblle/security-headers/zipball/f03729aa31e9f86eb28f839946df2b4e319a0c02", + "reference": "f03729aa31e9f86eb28f839946df2b4e319a0c02", "shasum": "" }, "require": { - "juststeveking/http-helpers": "^0.0.2", "php": "^8.2" }, "require-dev": { - "laravel/pint": "^1.7", - "orchestra/testbench": "^8.0", - "pestphp/pest": "^2.2.3", - "phpstan/phpstan": "^1.10.8" + "laravel/pint": "^1.10", + "orchestra/testbench": "^8.5.2", + "pestphp/pest": "^2.6.1", + "phpstan/phpstan": "^1.10.15" }, "type": "library", "extra": { "laravel": { "providers": [ - "Treblle\\Tools\\Providers\\PackageServiceProvider" - ], - "aliases": [ - "Headers" + "Treblle\\SecurityHeaders\\Providers\\PackageServiceProvider" ] } }, "autoload": { "psr-4": { - "Treblle\\Tools\\": "src/" + "Treblle\\SecurityHeaders\\": "src/" } }, "notification-url": "https://packagist.org/downloads/", @@ -6300,8 +6296,8 @@ "role": "Developer" } ], - "description": "A set of useful tools for building APIs in Laravel.", - "homepage": "https://treblle.com/", + "description": "A collection of HTTP middleware classes to improve the security headers in your Laravel application.", + "homepage": "https://www.treblle.com/", "keywords": [ "api", "debuging", @@ -6311,49 +6307,49 @@ "treblle" ], "support": { - "issues": "https://github.com/Treblle/treblle-api-tools-laravel/issues", - "source": "https://github.com/Treblle/treblle-api-tools-laravel/tree/0.0.1" + "issues": "https://github.com/Treblle/security-headers/issues", + "source": "https://github.com/Treblle/security-headers/tree/0.0.3" }, - "time": "2023-03-27T10:11:55+00:00" + "time": "2023-06-05T09:40:40+00:00" }, { - "name": "treblle/treblle-laravel", - "version": "2.8.8", + "name": "treblle/treblle-api-tools-laravel", + "version": "0.0.1", "source": { "type": "git", - "url": "https://github.com/Treblle/treblle-laravel.git", - "reference": "9928f5e0ef8401c1172cbf51c2fd8a3499a29e54" + "url": "https://github.com/Treblle/treblle-api-tools-laravel.git", + "reference": "f3661cbb65c94f6cb3e45fd28a32d1629797629e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/Treblle/treblle-laravel/zipball/9928f5e0ef8401c1172cbf51c2fd8a3499a29e54", - "reference": "9928f5e0ef8401c1172cbf51c2fd8a3499a29e54", + "url": "https://api.github.com/repos/Treblle/treblle-api-tools-laravel/zipball/f3661cbb65c94f6cb3e45fd28a32d1629797629e", + "reference": "f3661cbb65c94f6cb3e45fd28a32d1629797629e", "shasum": "" }, "require": { - "ext-json": "*", - "php": "^8.1", - "treblle/treblle-sdk-core": "^0.0.2" + "juststeveking/http-helpers": "^0.0.2", + "php": "^8.2" }, "require-dev": { - "friendsofphp/php-cs-fixer": "^3.15.1", - "guzzlehttp/guzzle": "^7.5", - "laravel/octane": "^1.5", - "laravel/pint": "^1.6", - "orchestra/testbench": "^7.0 || ^8.0.8", - "phpstan/phpstan": "^1.10" + "laravel/pint": "^1.7", + "orchestra/testbench": "^8.0", + "pestphp/pest": "^2.2.3", + "phpstan/phpstan": "^1.10.8" }, "type": "library", "extra": { "laravel": { "providers": [ - "Treblle\\TreblleServiceProvider" + "Treblle\\Tools\\Providers\\PackageServiceProvider" + ], + "aliases": [ + "Headers" ] } }, "autoload": { "psr-4": { - "Treblle\\": "src/" + "Treblle\\Tools\\": "src/" } }, "notification-url": "https://packagist.org/downloads/", @@ -6361,20 +6357,14 @@ "MIT" ], "authors": [ - { - "name": "Vedran Cindrić", - "email": "vedran@treblle.com", - "homepage": "https://treblle.com/", - "role": "Developer" - }, { "name": "Steve McDougall", "email": "juststevemcd@gmail.com", - "homepage": "https://treblle.com/", + "homepage": "https://www.juststeveking.uk/", "role": "Developer" } ], - "description": "Stay in tune with your APIs", + "description": "A set of useful tools for building APIs in Laravel.", "homepage": "https://treblle.com/", "keywords": [ "api", @@ -6385,58 +6375,10 @@ "treblle" ], "support": { - "issues": "https://github.com/Treblle/treblle-laravel/issues", - "source": "https://github.com/Treblle/treblle-laravel/tree/2.8.8" - }, - "time": "2023-05-02T10:55:12+00:00" - }, - { - "name": "treblle/treblle-sdk-core", - "version": "0.0.2", - "source": { - "type": "git", - "url": "https://github.com/Treblle/treblle-sdk-core.git", - "reference": "8f47d59dc3d40e3ef4251cb51786af0f2f989434" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/Treblle/treblle-sdk-core/zipball/8f47d59dc3d40e3ef4251cb51786af0f2f989434", - "reference": "8f47d59dc3d40e3ef4251cb51786af0f2f989434", - "shasum": "" - }, - "require": { - "php": "^8.1", - "thecodingmachine/safe": "^2.4" - }, - "require-dev": { - "laravel/pint": "^1.6", - "pestphp/pest": "^1.22.4", - "phpstan/phpstan": "^1.10.3" - }, - "type": "library", - "autoload": { - "psr-4": { - "Treblle\\Core\\": "src/" - } - }, - "notification-url": "https://packagist.org/downloads/", - "license": [ - "MIT" - ], - "authors": [ - { - "name": "Steve McDougall", - "email": "juststevemcd@gmail.com", - "homepage": "https://www.juststeveking.uk/", - "role": "Developer" - } - ], - "description": "The core PHP SDK classes used by the Treblle SDKs.", - "support": { - "issues": "https://github.com/Treblle/treblle-sdk-core/issues", - "source": "https://github.com/Treblle/treblle-sdk-core/tree/0.0.2" + "issues": "https://github.com/Treblle/treblle-api-tools-laravel/issues", + "source": "https://github.com/Treblle/treblle-api-tools-laravel/tree/0.0.1" }, - "time": "2023-03-10T11:12:00+00:00" + "time": "2023-03-27T10:11:55+00:00" }, { "name": "vlucas/phpdotenv", @@ -7798,16 +7740,16 @@ }, { "name": "phpstan/phpstan", - "version": "1.10.21", + "version": "1.10.22", "source": { "type": "git", "url": "https://github.com/phpstan/phpstan.git", - "reference": "b2a30186be2e4d97dce754ae4e65eb0ec2f04eb5" + "reference": "97d694dfd4ceb57bcce4e3b38548f13ea62e4287" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpstan/zipball/b2a30186be2e4d97dce754ae4e65eb0ec2f04eb5", - "reference": "b2a30186be2e4d97dce754ae4e65eb0ec2f04eb5", + "url": "https://api.github.com/repos/phpstan/phpstan/zipball/97d694dfd4ceb57bcce4e3b38548f13ea62e4287", + "reference": "97d694dfd4ceb57bcce4e3b38548f13ea62e4287", "shasum": "" }, "require": { @@ -7856,7 +7798,7 @@ "type": "tidelift" } ], - "time": "2023-06-21T20:07:58+00:00" + "time": "2023-06-30T20:04:11+00:00" }, { "name": "phpunit/php-code-coverage", diff --git a/projects/default/config/headers.php b/projects/default/config/headers.php new file mode 100644 index 0000000..f6a5a69 --- /dev/null +++ b/projects/default/config/headers.php @@ -0,0 +1,22 @@ + [ + 'X-Powered-By', + 'x-powered-by', + 'Server', + 'server', + ], + + 'referrer-policy' => 'no-referrer-when-downgrade', + + 'strict-transport-security' => 'max-age=31536000; includeSubDomains', + + 'certificate-transparency' => 'enforce, max-age=30', + + 'permissions-policy' => 'autoplay=(self), camera=(), encrypted-media=(self), fullscreen=(), geolocation=(self), gyroscope=(self), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(self), usb=()', + + 'content-type-options' => 'nosniff', +]; diff --git a/projects/default/core/Http/Kernel.php b/projects/default/core/Http/Kernel.php index b81054a..bb6e93c 100644 --- a/projects/default/core/Http/Kernel.php +++ b/projects/default/core/Http/Kernel.php @@ -6,8 +6,9 @@ use App\Http\Middleware\CacheHeaders; use App\Http\Middleware\EnsureEmailIsVerified; -use App\Http\Middleware\JsonApiResponseMiddleware; +use App\Http\Middleware\ContentTypeMiddleware; use App\Http\Middleware\PreventRequestsDuringMaintenance; +use App\Http\Middleware\Security\XFrameOptionMiddleware; use App\Http\Middleware\TrimStrings; use App\Http\Middleware\TrustProxies; use App\Http\Middleware\ValidateSignature; @@ -20,6 +21,12 @@ use Illuminate\Http\Middleware\HandleCors; use Illuminate\Http\Middleware\SetCacheHeaders; use Illuminate\Routing\Middleware\ThrottleRequests; +use Treblle\SecurityHeaders\Http\Middleware\CertificateTransparencyPolicy; +use Treblle\SecurityHeaders\Http\Middleware\ContentTypeOptions; +use Treblle\SecurityHeaders\Http\Middleware\PermissionsPolicy; +use Treblle\SecurityHeaders\Http\Middleware\RemoveHeaders; +use Treblle\SecurityHeaders\Http\Middleware\SetReferrerPolicy; +use Treblle\SecurityHeaders\Http\Middleware\StrictTransportSecurity; final class Kernel extends HttpKernel { @@ -37,8 +44,15 @@ final class Kernel extends HttpKernel 'api' => [ ThrottleRequests::class.':api', - JsonApiResponseMiddleware::class, + ContentTypeMiddleware::class, CacheHeaders::class, + RemoveHeaders::class, + StrictTransportSecurity::class, + SetReferrerPolicy::class, + PermissionsPolicy::class, + ContentTypeOptions::class, + CertificateTransparencyPolicy::class, + XFrameOptionMiddleware::class, ], ]; diff --git a/projects/default/stubs/middleware.stub b/projects/default/stubs/middleware.stub index e32b3fc..76b7b53 100644 --- a/projects/default/stubs/middleware.stub +++ b/projects/default/stubs/middleware.stub @@ -10,11 +10,6 @@ use Symfony\Component\HttpFoundation\Response; final class {{ class }} { - /** - * Handle an incoming request. - * - * @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next - */ public function handle(Request $request, Closure $next): Response { return $next($request); From 90d5f040e6c7d30550e6ccfc65518622389dabac Mon Sep 17 00:00:00 2001 From: Arthur Monney Date: Tue, 4 Jul 2023 16:26:18 +0200 Subject: [PATCH 2/3] Add Skeleton autoload advice --- README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/README.md b/README.md index 48ba96c..586abb1 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,25 @@ and you'll need to do another compose install to install the Laravel project's d ./skeleton/bin/project use {skeleton-name} ``` +## Autoload +When you use a skeleton, it will overwrite the default root composer.json file and the commands for generating the project will no longer be available. To fix this, you need to autoload the skeleton folder using psr-4. Like this: + +```json +{ + "autoload": { + "psr-4": { + "App\\": "app/", + "Core\\": "core/", + "Skeleton\\": "skeleton/", + "Database\\Factories\\": "database/factories/", + "Database\\Seeders\\": "database/seeders/" + } + } +} +``` + +**Tip: don't forget to run composer dump-autoload afterward.** + Once you have built your skeleton and are satisfied with your work, you can generate a project and all the modifications you have made will be added only to the skeleton you have created. ```bash From 9cabfc5cb22998caef6773e3b9e613ae3d83a494 Mon Sep 17 00:00:00 2001 From: Arthur Monney Date: Tue, 4 Jul 2023 16:34:58 +0200 Subject: [PATCH 3/3] :lock: Add treblle security headers middleware on graphql skeleton --- projects/default-graphql/README.md | 2 - .../Security/XFrameOptionMiddleware.php | 26 ++++++++ projects/default-graphql/composer.json | 3 +- projects/default-graphql/composer.lock | 66 ++++++++++++++++++- projects/default-graphql/config/headers.php | 22 +++++++ projects/default-graphql/core/Http/Kernel.php | 14 ++++ .../default-graphql/stubs/middleware.stub | 5 -- skeleton/stubs/README.stub | 19 ++++++ 8 files changed, 148 insertions(+), 9 deletions(-) create mode 100644 projects/default-graphql/app/Http/Middleware/Security/XFrameOptionMiddleware.php create mode 100644 projects/default-graphql/config/headers.php diff --git a/projects/default-graphql/README.md b/projects/default-graphql/README.md index 499b3a9..f76cf83 100644 --- a/projects/default-graphql/README.md +++ b/projects/default-graphql/README.md @@ -1,5 +1,3 @@ -Laravel API Skeleton - # Laravel API Skeleton - Example This project is a skeleton for building an API with Laravel and GraphQL. It is the simplest skeleton and contains only the basic files and dependencies to start building your API with GraphQL. diff --git a/projects/default-graphql/app/Http/Middleware/Security/XFrameOptionMiddleware.php b/projects/default-graphql/app/Http/Middleware/Security/XFrameOptionMiddleware.php new file mode 100644 index 0000000..3494057 --- /dev/null +++ b/projects/default-graphql/app/Http/Middleware/Security/XFrameOptionMiddleware.php @@ -0,0 +1,26 @@ +headers->add([ + 'X-Frame-Options' => 'deny', + ]); + + return $response; + } +} diff --git a/projects/default-graphql/composer.json b/projects/default-graphql/composer.json index 1eeef2a..c555010 100644 --- a/projects/default-graphql/composer.json +++ b/projects/default-graphql/composer.json @@ -22,7 +22,8 @@ "laravel/tinker": "^2.8.1", "mll-lab/laravel-graphiql": "^3.0", "nuwave/lighthouse": "^6.12", - "timacdonald/json-api": "v1.0.0-beta.4" + "timacdonald/json-api": "v1.0.0-beta.4", + "treblle/security-headers": "^0.0.3" }, "require-dev": { "fakerphp/faker": "^1.21.0", diff --git a/projects/default-graphql/composer.lock b/projects/default-graphql/composer.lock index ccf3273..97d18f4 100644 --- a/projects/default-graphql/composer.lock +++ b/projects/default-graphql/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "803870ebc46a99f89fb0c11dbec869c0", + "content-hash": "62ad7fa85e6bf917e551a4abc8ca6fa7", "packages": [ { "name": "brick/math", @@ -6544,6 +6544,70 @@ }, "time": "2023-02-20T08:18:59+00:00" }, + { + "name": "treblle/security-headers", + "version": "0.0.3", + "source": { + "type": "git", + "url": "https://github.com/Treblle/security-headers.git", + "reference": "f03729aa31e9f86eb28f839946df2b4e319a0c02" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/Treblle/security-headers/zipball/f03729aa31e9f86eb28f839946df2b4e319a0c02", + "reference": "f03729aa31e9f86eb28f839946df2b4e319a0c02", + "shasum": "" + }, + "require": { + "php": "^8.2" + }, + "require-dev": { + "laravel/pint": "^1.10", + "orchestra/testbench": "^8.5.2", + "pestphp/pest": "^2.6.1", + "phpstan/phpstan": "^1.10.15" + }, + "type": "library", + "extra": { + "laravel": { + "providers": [ + "Treblle\\SecurityHeaders\\Providers\\PackageServiceProvider" + ] + } + }, + "autoload": { + "psr-4": { + "Treblle\\SecurityHeaders\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Steve McDougall", + "email": "juststevemcd@gmail.com", + "homepage": "https://www.juststeveking.uk/", + "role": "Developer" + } + ], + "description": "A collection of HTTP middleware classes to improve the security headers in your Laravel application.", + "homepage": "https://www.treblle.com/", + "keywords": [ + "api", + "debuging", + "documentation", + "laravel", + "monitoring", + "treblle" + ], + "support": { + "issues": "https://github.com/Treblle/security-headers/issues", + "source": "https://github.com/Treblle/security-headers/tree/0.0.3" + }, + "time": "2023-06-05T09:40:40+00:00" + }, { "name": "treblle/treblle-api-tools-laravel", "version": "0.0.1", diff --git a/projects/default-graphql/config/headers.php b/projects/default-graphql/config/headers.php new file mode 100644 index 0000000..f6a5a69 --- /dev/null +++ b/projects/default-graphql/config/headers.php @@ -0,0 +1,22 @@ + [ + 'X-Powered-By', + 'x-powered-by', + 'Server', + 'server', + ], + + 'referrer-policy' => 'no-referrer-when-downgrade', + + 'strict-transport-security' => 'max-age=31536000; includeSubDomains', + + 'certificate-transparency' => 'enforce, max-age=30', + + 'permissions-policy' => 'autoplay=(self), camera=(), encrypted-media=(self), fullscreen=(), geolocation=(self), gyroscope=(self), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(self), usb=()', + + 'content-type-options' => 'nosniff', +]; diff --git a/projects/default-graphql/core/Http/Kernel.php b/projects/default-graphql/core/Http/Kernel.php index 0170633..bb6e93c 100644 --- a/projects/default-graphql/core/Http/Kernel.php +++ b/projects/default-graphql/core/Http/Kernel.php @@ -8,6 +8,7 @@ use App\Http\Middleware\EnsureEmailIsVerified; use App\Http\Middleware\ContentTypeMiddleware; use App\Http\Middleware\PreventRequestsDuringMaintenance; +use App\Http\Middleware\Security\XFrameOptionMiddleware; use App\Http\Middleware\TrimStrings; use App\Http\Middleware\TrustProxies; use App\Http\Middleware\ValidateSignature; @@ -20,6 +21,12 @@ use Illuminate\Http\Middleware\HandleCors; use Illuminate\Http\Middleware\SetCacheHeaders; use Illuminate\Routing\Middleware\ThrottleRequests; +use Treblle\SecurityHeaders\Http\Middleware\CertificateTransparencyPolicy; +use Treblle\SecurityHeaders\Http\Middleware\ContentTypeOptions; +use Treblle\SecurityHeaders\Http\Middleware\PermissionsPolicy; +use Treblle\SecurityHeaders\Http\Middleware\RemoveHeaders; +use Treblle\SecurityHeaders\Http\Middleware\SetReferrerPolicy; +use Treblle\SecurityHeaders\Http\Middleware\StrictTransportSecurity; final class Kernel extends HttpKernel { @@ -39,6 +46,13 @@ final class Kernel extends HttpKernel ThrottleRequests::class.':api', ContentTypeMiddleware::class, CacheHeaders::class, + RemoveHeaders::class, + StrictTransportSecurity::class, + SetReferrerPolicy::class, + PermissionsPolicy::class, + ContentTypeOptions::class, + CertificateTransparencyPolicy::class, + XFrameOptionMiddleware::class, ], ]; diff --git a/projects/default-graphql/stubs/middleware.stub b/projects/default-graphql/stubs/middleware.stub index e32b3fc..76b7b53 100644 --- a/projects/default-graphql/stubs/middleware.stub +++ b/projects/default-graphql/stubs/middleware.stub @@ -10,11 +10,6 @@ use Symfony\Component\HttpFoundation\Response; final class {{ class }} { - /** - * Handle an incoming request. - * - * @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next - */ public function handle(Request $request, Closure $next): Response { return $next($request); diff --git a/skeleton/stubs/README.stub b/skeleton/stubs/README.stub index 48ba96c..a21e6a9 100644 --- a/skeleton/stubs/README.stub +++ b/skeleton/stubs/README.stub @@ -48,6 +48,25 @@ and you'll need to do another compose install to install the Laravel project's d ./skeleton/bin/project use {skeleton-name} ``` +## Autoload +When you use a skeleton, it will overwrite the default root composer.json file and the commands for generating the project will no longer be available. To fix this, you need to autoload the skeleton folder using psr-4. Like this: + +```json +{ + "autoload": { + "psr-4": { + "App\\": "app/", + "Core\\": "core/", + "Skeleton\\": "skeleton/", + "Database\\Factories\\": "database/factories/", + "Database\\Seeders\\": "database/seeders/" + } + } +} +``` + +**Tip: don't forget to run composer dump-autoload afterward.** + Once you have built your skeleton and are satisfied with your work, you can generate a project and all the modifications you have made will be added only to the skeleton you have created. ```bash