Beta to test

Author: bicf

.gitignore

@@ -0,0 +1,4 @@
+*.swp
+.vimrc
+composer.lock
+/vendor

.idea/vcs.xml

@@ -0,0 +1,2 @@
+Yii2 headers security
+================

README.md

@@ -0,0 +1,27 @@
+{
+    "name": "bicf/yii2-security-headers",
+    "description": "Security oriented headers management",
+    "keywords": ["yii2"],
+    "type": "yii2-extension",
+    "license": "GPL2",
+    "authors": [
+        {
+            "name": "Ivan Buttinoni",
+            "email": "[email protected]"
+        }
+    ],
+    "require": {
+      "yiisoft/yii2": "*"
+    },
+    "repositories": [
+        {
+            "type": "composer",
+            "url": "https://asset-packagist.org"
+        }
+    ],
+    "autoload": {
+        "psr-4": {
+            "bicf\\securityheaders\\": "src"
+        }
+    }
+}

composer.json

@@ -0,0 +1,82 @@
+<?php
+use bicf\securityheaders;
+
+/**
+ * Class Response
+ * ```php
+ * [
+ *     'components' => [
+ *         'response' => [
+ *             'class' => 'bicf\securityheaders\Response',
+ *             'on afterPrepare' => ['bicf\securityheaders\Response','modulesInit'],
+ *             'on afterSend' => ['bicf\securityheaders\Response','modulesSendHeaders'],
+ *             'modules' => [
+ *                'XContentTypeOptions'=>[
+ *                    'class' => 'bicf\securityheaders\modules\HeaderXContentTypeOptions',
+ *                    'value' => 'nosniff',
+ *                ],
+ *                'AccessControlAllowMethods'=>[
+ *                    'class' => 'bicf\securityheaders\modules\HeaderAccessControlAllowMethods',
+ *                    'value' => 'GET',
+ *                ],
+ *                'AccessControlAllowOrigin'=>[
+ *                    'class' => 'bicf\securityheaders\modules\HeaderAccessControlAllowOrigin',
+ *                    'value' => 'https://api.example.com',
+ *                ],
+ *                'ContentSecurityPolicyAcl'=>[
+ *                    'class' => 'bicf\securityheaders\modules\HeaderContentSecurityPolicyAcl',
+ *                    'enabled' => false,
+ *                    'policies' => [
+ *                        'default-src' => "'self'",
+ *                        'frame-src'   => "'self' www.facebook.com www.youtube.com www.google.com",
+ *                        'img-src'     => "'self' www.google-analytics.com",
+ *                        'font-src'    => "'self' fonts.gstatic.com maxcdn.bootstrapcdn.com",
+ *                        'media-src'   => "'self'",
+ *                        'script-src'  => "'self' www.google-analytics.com",
+ *                        'style-src'   => "'self' maxcdn.bootstrapcdn.com",
+ *                         'connect-src' => "'self'",
+ *                         'report-uri'  => "/report-csp-acl",
+ *                     ],
+ *                 ],
+ *                 'ContentSecurityPolicyMonitor'=>[
+ *                     'class' => 'bicf\securityheaders\modules\HeaderContentSecurityPolicyMonitor',
+ *                     'policies' => [
+ *                         'default-src' => "'self'",
+ *                         'frame-src'   => "'self' www.facebook.com www.youtube.com www.google.com",
+ *                         'img-src'     => "'self' www.google-analytics.com",
+ *                         'font-src'    => "'self' fonts.gstatic.com maxcdn.bootstrapcdn.com",
+ *                         'media-src'   => "'self'",
+ *                         'script-src'  => "'self' www.google-analytics.com",
+ *                         'style-src'   => "'self' maxcdn.bootstrapcdn.com",
+ *                         'connect-src' => "'self'",
+ *                         'report-uri'  => "/report-csp-acl",
+ *                     ],
+ *                 ],
+ *             ],
+ *         ],
+ *     ],
+ * ]
+ * 
+ * ```
+ */
+class Response extends \yii\web\Response
+{
+    /** @var array of header modules default is empty
+     *   use the configuration to populate the array 
+     */
+    public $modules=array();
+
+    protected function modulesInit()
+    {
+        foreach ($this->modules as $module){
+            $module->init();
+        }
+    }
+
+    protected function modulesSendHeaders()
+    {
+        foreach ($this->modules as $module){
+            $module->run();
+        }
+    }
+}

src/Response.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace bicf\securityheaders\modules;
+use yii\base\BaseObject;
+
+/**
+ * Class HeaderAccessControlAllowMethods
+ * @package bicf\securityheaders\modules
+ */
+class HeaderAccessControlAllowMethods extends HeaderModuleBase
+{
+    private $defaultValue='GET';
+    public $value;
+
+    public function init()
+    {
+        if($this->value === null){
+            $this->value =$this->defaultValue;
+        }
+    }
+
+    public function run()
+    {
+        if(!$this->enabled){
+            return;
+        }
+        \Yii::$app->response->headers->set('Access-Control-Allow-Methods',$this->value);
+    }
+}

src/modules/HeaderAccessControlAllowMethods.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace bicf\securityheaders\modules;
+use yii\base\BaseObject;
+
+/**
+ * Class HeaderAccessControlAllowOrigin
+ * @package bicf\securityheaders\modules
+ */
+class HeaderAccessControlAllowOrigin extends HeaderModuleBase
+{
+    public $value;
+
+    public function run()
+    {
+        if(!$this->enabled){
+            return;
+        }
+        if($this->value === null){
+            return;
+        }
+        \Yii::$app->response->headers->set('Access-Control-Allow-Origin',$this->value);
+    }
+}

src/modules/HeaderAccessControlAllowOrigin.php

@@ -0,0 +1,13 @@
+<?php
+
+namespace bicf\securityheaders\modules;
+
+/**
+ * Class HeaderContentSecurityPolicyAcl
+ * @package bicf\securityheaders\modules
+ */
+class HeaderContentSecurityPolicyAcl extends HeaderContentSecurityPolicyBase
+{
+    protected $headerName='Content-Security-Policy';
+
+}

src/modules/HeaderContentSecurityPolicyAcl.php

@@ -0,0 +1,56 @@
+<?php
+
+namespace bicf\securityheaders\modules;
+use yii\base\BaseObject;
+
+/**
+ * Class HeaderContentSecurityPolicyBase
+ * @package bicf\securityheaders\modules
+ */
+abstract class HeaderContentSecurityPolicyBase extends HeaderModuleBase
+{
+    const DEFAULT_SRC = 'default-src';
+    const FRAME_SRC = 'frame-src';
+    const IMG_SRC = 'img-src';
+    const FONT_SRC = 'font-src';
+    const MEDIA_SRC = 'media-src';
+    const SCRIPT_SRC = 'script-src';
+    const STYLE_SRC = 'style-src';
+    const CONNECT_SRC = 'connect-src';
+    const REPORT_URI = 'report-uri';
+
+    private static $token;
+    protected $headerName;
+
+    public  $policies = array();
+
+    public $nonceEnabled = true;
+
+    public static function getToken()
+    {
+        if(self::$token === null){
+            self::$token= \Yii::$app->security->generateRandomString();
+        }
+        return self::$token;
+    }
+
+    /**
+     * add the security header
+     */
+    public function run(){
+        if(!$this->enabled){
+            return;
+        }
+        if($this->nonceEnabled){
+            $scriptSrc = isset($this->policies[self::SCRIPT_SRC])?$this->policies[self::SCRIPT_SRC]:'';
+            $this->policies[self::SCRIPT_SRC] = "$scriptSrc 'nonce-".self::getToken()."'";
+        }
+
+        $sep=$value='';
+        foreach ($this->policies as $k => $v){
+            $value .="$sep$k $v; ";
+            $sep ="; ";
+        }
+        \Yii::$app->response->headers->set($this->headerName,$value);
+    }
+}

src/modules/HeaderContentSecurityPolicyBase.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace bicf\securityheaders\modules;
+
+/**
+ * Class HeaderContentSecurityPolicyMonitor
+ * @package bicf\securityheaders\modules
+ */
+class HeaderContentSecurityPolicyMonitor extends HeaderContentSecurityPolicyBase
+{
+    protected $headerName='Content-Security-Policy-Report-Only';
+
+
+
+}

src/modules/HeaderContentSecurityPolicyMonitor.php

@@ -0,0 +1,26 @@
+<?php
+/**
+ * Created by PhpStorm.
+ * User: ivan
+ * Date: 9/1/18
+ * Time: 12:21 AM
+ */
+
+namespace bicf\securityheaders\modules;
+
+
+use yii\base\BaseObject;
+
+/**
+ * Class HeaderModuleBase
+ * @package bicf\securityheaders\modules
+ * @property boolean $enabled 
+ */
+abstract class HeaderModuleBase extends BaseObject implements HeaderModuleInterface
+{
+    /**
+     * @var bool whether to enabled the module or not. Allows to turn the module header
+     * on and off according to specific conditions.
+     */
+     public $enabled=true;
+}

src/modules/HeaderModuleBase.php

@@ -0,0 +1,16 @@
+<?php
+/**
+ * Created by PhpStorm.
+ * User: ivan
+ * Date: 9/1/18
+ * Time: 12:21 AM
+ */
+
+namespace bicf\securityheaders\modules;
+
+
+interface HeaderModuleInterface
+{
+    public function init();
+    public function run();
+}

src/modules/HeaderModuleInterface.php

@@ -0,0 +1,30 @@
+<?php
+namespace bicf\securityheaders\modules;
+
+use yii\base\BaseObject;
+
+/**
+ * Class HeaderXContentTypeOptions
+ * @package bicf\securityheaders\modules
+ */
+class HeaderXContentTypeOptions extends HeaderModuleBase
+{
+    private $defaultValue='nosniff';
+    public $value;
+
+    public function init()
+    {
+        if($this->value === null){
+            $this->value =$this->defaultValue;
+        }
+    }
+
+
+    public function run()
+    {
+        if(!$this->enabled){
+            return;
+        }
+        \Yii::$app->response->headers->set('X-Content-Type-Options',$this->value);
+    }
+}