🔒 Add treblle security headers middleware on graphql skeleton

laravelcm · Jul 4, 2023 · 9cabfc5 · 9cabfc5
1 parent 90d5f04
commit 9cabfc5
Show file tree

Hide file tree

Showing 8 changed files with 148 additions and 9 deletions.
diff --git a/projects/default-graphql/README.md b/projects/default-graphql/README.md
@@ -1,5 +1,3 @@
-<img src="/art/graphql.png" alt="Laravel API Skeleton" align="center">
-
 # Laravel API Skeleton - Example
 This project is a skeleton for building an API with Laravel and GraphQL. It is the simplest skeleton and contains only the basic files and dependencies 
 to start building your API with GraphQL.

diff --git a/projects/default-graphql/app/Http/Middleware/Security/XFrameOptionMiddleware.php b/projects/default-graphql/app/Http/Middleware/Security/XFrameOptionMiddleware.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware\Security;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class XFrameOptionMiddleware
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /**
+         * @var Response $response
+         */
+        $response = $next($request);
+
+        $response->headers->add([
+            'X-Frame-Options' => 'deny',
+        ]);
+
+        return $response;
+    }
+}
diff --git a/projects/default-graphql/composer.json b/projects/default-graphql/composer.json
@@ -22,7 +22,8 @@
     "laravel/tinker": "^2.8.1",
     "mll-lab/laravel-graphiql": "^3.0",
     "nuwave/lighthouse": "^6.12",
-    "timacdonald/json-api": "v1.0.0-beta.4"
+    "timacdonald/json-api": "v1.0.0-beta.4",
+    "treblle/security-headers": "^0.0.3"
   },
   "require-dev": {
     "fakerphp/faker": "^1.21.0",

diff --git a/projects/default-graphql/composer.lock b/projects/default-graphql/composer.lock
diff --git a/projects/default-graphql/config/headers.php b/projects/default-graphql/config/headers.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+return [
+    'remove' => [
+        'X-Powered-By',
+        'x-powered-by',
+        'Server',
+        'server',
+    ],
+
+    'referrer-policy' => 'no-referrer-when-downgrade',
+
+    'strict-transport-security' => 'max-age=31536000; includeSubDomains',
+
+    'certificate-transparency' => 'enforce, max-age=30',
+
+    'permissions-policy' => 'autoplay=(self), camera=(), encrypted-media=(self), fullscreen=(), geolocation=(self), gyroscope=(self), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(self), usb=()',
+
+    'content-type-options' => 'nosniff',
+];
diff --git a/projects/default-graphql/core/Http/Kernel.php b/projects/default-graphql/core/Http/Kernel.php
@@ -8,6 +8,7 @@
 use App\Http\Middleware\EnsureEmailIsVerified;
 use App\Http\Middleware\ContentTypeMiddleware;
 use App\Http\Middleware\PreventRequestsDuringMaintenance;
+use App\Http\Middleware\Security\XFrameOptionMiddleware;
 use App\Http\Middleware\TrimStrings;
 use App\Http\Middleware\TrustProxies;
 use App\Http\Middleware\ValidateSignature;
@@ -20,6 +21,12 @@
 use Illuminate\Http\Middleware\HandleCors;
 use Illuminate\Http\Middleware\SetCacheHeaders;
 use Illuminate\Routing\Middleware\ThrottleRequests;
+use Treblle\SecurityHeaders\Http\Middleware\CertificateTransparencyPolicy;
+use Treblle\SecurityHeaders\Http\Middleware\ContentTypeOptions;
+use Treblle\SecurityHeaders\Http\Middleware\PermissionsPolicy;
+use Treblle\SecurityHeaders\Http\Middleware\RemoveHeaders;
+use Treblle\SecurityHeaders\Http\Middleware\SetReferrerPolicy;
+use Treblle\SecurityHeaders\Http\Middleware\StrictTransportSecurity;
 
 final class Kernel extends HttpKernel
 {
@@ -39,6 +46,13 @@ final class Kernel extends HttpKernel
             ThrottleRequests::class.':api',
             ContentTypeMiddleware::class,
             CacheHeaders::class,
+            RemoveHeaders::class,
+            StrictTransportSecurity::class,
+            SetReferrerPolicy::class,
+            PermissionsPolicy::class,
+            ContentTypeOptions::class,
+            CertificateTransparencyPolicy::class,
+            XFrameOptionMiddleware::class,
         ],
     ];
 

diff --git a/projects/default-graphql/stubs/middleware.stub b/projects/default-graphql/stubs/middleware.stub
@@ -10,11 +10,6 @@ use Symfony\Component\HttpFoundation\Response;
 
 final class {{ class }}
 {
-    /**
-     * Handle an incoming request.
-     *
-     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
-     */
     public function handle(Request $request, Closure $next): Response
     {
         return $next($request);

diff --git a/skeleton/stubs/README.stub b/skeleton/stubs/README.stub
@@ -48,6 +48,25 @@ and you'll need to do another compose install to install the Laravel project's d
 ./skeleton/bin/project use {skeleton-name}
 ```
 
+## Autoload
+When you use a skeleton, it will overwrite the default root composer.json file and the commands for generating the project will no longer be available. To fix this, you need to autoload the skeleton folder using psr-4. Like this:
+
+```json
+{
+    "autoload": {
+        "psr-4": {
+            "App\\": "app/",
+            "Core\\": "core/",
+            "Skeleton\\": "skeleton/",
+            "Database\\Factories\\": "database/factories/",
+            "Database\\Seeders\\": "database/seeders/"
+        }
+    }
+}
+```
+
+**Tip: don't forget to run composer dump-autoload afterward.**
+
 Once you have built your skeleton and are satisfied with your work, you can generate a project and all the modifications you have made will be added only to the skeleton you have created.
 
 ```bash