From 05b3a9ad7e72cc71b09ed8ef2e87db19fa3700ee Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Mon, 22 Jun 2020 23:17:27 -0700
Subject: [PATCH] Config variable for HSTS

---
 .env.example                            |  1 +
 app/Http/Middleware/SecurityHeaders.php | 35 ++++++++++++++++++-------
 config/app.php                          | 32 +++++++++++++++-------
 3 files changed, 49 insertions(+), 19 deletions(-)

diff --git a/.env.example b/.env.example
index b3b0b0e4ed..4ec2ee6aab 100644
--- a/.env.example
+++ b/.env.example
@@ -71,6 +71,7 @@ ALLOW_IFRAMING=false
 REFERRER_POLICY=same-origin
 ENABLE_CSP=false
 CORS_ALLOWED_ORIGINS=null
+ENABLE_HSTS=false
 
 # --------------------------------------------
 # OPTIONAL: CACHE SETTINGS
diff --git a/app/Http/Middleware/SecurityHeaders.php b/app/Http/Middleware/SecurityHeaders.php
index 7a75bfdc9d..2c35ad80eb 100644
--- a/app/Http/Middleware/SecurityHeaders.php
+++ b/app/Http/Middleware/SecurityHeaders.php
@@ -24,24 +24,39 @@ class SecurityHeaders
     {
         $this->removeUnwantedHeaders($this->unwantedHeaderList);
         $response = $next($request);
+        
         $response->headers->set('Referrer-Policy', config('app.referrer_policy'));
         $response->headers->set('X-Content-Type-Options', 'nosniff');
         $response->headers->set('X-XSS-Protection', '1; mode=block');
-        $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        $response->headers->set('Feature-Policy', 'self');
 
         if (config('app.allow_iframing') == false) {
             $response->headers->set('X-Frame-Options', 'DENY');
         }
 
-        $policy[] = "default-src 'self'";
-        $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
-        $policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com";
-        $policy[] = "connect-src 'self'";
-        $policy[] = "object-src 'none'";
-        $policy[] = "font-src 'self' data:";
-        $policy[] = "img-src 'self' data: gravatar.com";
-        $policy = join(';', $policy);
-        $response->headers->set('Content-Security-Policy', $policy);
+
+        // This defaults to false to maintain backwards compatibility
+        // people who are not running Snipe-IT over TLS (shame, shame, shame!)
+        // Seriously though, please run Snipe-IT over TLS. Let's Encrypt is free.
+        // https://letsencrypt.org
+
+        if (config('app.enable_hsts') === true) {
+            $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        }
+
+        // We have to exclude debug mode here because debugbar pulls from a CDN or two
+        // and it will break things.
+        if ((config('app.debug')!='true')  || (config('app.enable_csp')=='true')) {
+            $policy[] = "default-src 'self'";
+            $policy[] = "style-src 'self' 'unsafe-inline'";
+            $policy[] = "script-src 'self' 'unsafe-inline'";
+            $policy[] = "connect-src 'self'";
+            $policy[] = "object-src 'none'";
+            $policy[] = "font-src 'self' data:";
+            $policy[] = "img-src 'self' data: gravatar.com";
+            $policy = join(';', $policy);
+            $response->headers->set('Content-Security-Policy', $policy);
+        }
 
         return $response;
     }
diff --git a/config/app.php b/config/app.php
index 07d2ac6ef1..42044284a3 100755
--- a/config/app.php
+++ b/config/app.php
@@ -197,19 +197,33 @@ return [
 
 
     /*
-    |--------------------------------------------------------------------------
-    | ALLOW I-FRAMING
-    |--------------------------------------------------------------------------
-    |
-    | Normal users will never need to edit this. This option lets you run
-    | Snipe-IT within an I-Frame, which is normally disabled by default for
-    | security reasons, to prevent clickjacking. It should normally be set to false.
-    |
-    */
+   |--------------------------------------------------------------------------
+   | ALLOW I-FRAMING
+   |--------------------------------------------------------------------------
+   |
+   | Normal users will never need to edit this. This option lets you run
+   | Snipe-IT within an I-Frame, which is normally disabled by default for
+   | security reasons, to prevent clickjacking. It should normally be set to false.
+   |
+   */
 
     'allow_iframing' => env('ALLOW_IFRAMING', false),
 
 
+    /*
+    |--------------------------------------------------------------------------
+    | ENABLE HTTP Strict Transport Security (HSTS)
+    |--------------------------------------------------------------------------
+    |
+    | This is set to default false for backwards compatibilty but should be
+    | set to true if the hosting environment allows it.
+    |
+    | See https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
+    |
+    */
+
+    'enable_hsts' => env('ENABLE_HSTS', false),
+
     /*
     |--------------------------------------------------------------------------
     | REFERRER-POLICY