mirror/UNIT3D-Community-Edition
1
0
Fork 0
mirror of https://github.com/HDInnovations/UNIT3D-Community-Edition.git synced 2026-01-16 00:41:01 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
UNIT3D-Community-Edition/config/secure-headers.php
Roardom 777cab49fa fix: don't hardcode websockets port in csp config 
Allows using websocket on other ports specified in the VITE_ECHO_ADDRESS env variable.
2025-05-27 20:44:39 +00:00

709 lines
18 KiB
PHP
Raw Permalink Blame History

<?php
declare(strict_types=1);
/**
* NOTICE OF LICENSE.
*
* UNIT3D Community Edition is open-sourced software licensed under the GNU Affero General Public License v3.0
* The details is bundled with this project in the file LICENSE.txt.
*
* @project UNIT3D Community Edition
*
* @author HDVinnie <hdinnovations@protonmail.com>
* @license https://www.gnu.org/licenses/agpl-3.0.en.html/ GNU Affero General Public License v3.0
*/
return [
/*
* Server
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
*
* Note: when server is empty string, it will not add to response header
*/
'server' => '',
/*
* X-Content-Type-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
*
* Available Value: 'nosniff'
*/
'x-content-type-options' => 'nosniff',
/*
* X-Download-Options
*
* Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
*
* Available Value: 'noopen'
*/
'x-download-options' => 'noopen',
/*
* X-Frame-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
*
* Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
*/
'x-frame-options' => 'sameorigin',
/*
* X-Permitted-Cross-Domain-Policies
*
* Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
*
* Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
*/
'x-permitted-cross-domain-policies' => 'none',
/*
* X-Powered-By
*
* Note: it will not add to response header if the value is empty string.
*/
'x-powered-by' => '',
/*
* X-XSS-Protection
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
*
* Available Value: '1', '0', '1; mode=block'
*/
'x-xss-protection' => '1; mode=block',
/*
* Referrer-Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
*
* Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
* 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
*/
'referrer-policy' => 'same-origin',
/*
* Clear-Site-Data
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
*/
'clear-site-data' => [
'enable' => false,
'all' => false,
'cache' => true,
'cookies' => true,
'storage' => true,
'executionContexts' => true,
],
/*
* HTTP Strict Transport Security
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
*
* Please ensure your website had set up ssl/tls before enable hsts.
*/
'hsts' => [
'enable' => env('HSTS_ENABLED', true),
'max-age' => 31536000,
'include-sub-domains' => true,
'preload' => true,
],
/*
* Expect-CT
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
*/
'expect-ct' => [
'enable' => true,
'max-age' => 2147483648,
'enforce' => false,
// report uri must be absolute-URI
'report-uri' => null,
],
/*
* Permissions Policy
*
* Reference: https://w3c.github.io/webappsec-permissions-policy/
*/
'permissions-policy' => [
'enable' => true,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/accelerometer
'accelerometer' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/ambient-light-sensor
'ambient-light-sensor' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/autoplay
'autoplay' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/battery
'battery' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/camera
'camera' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://www.chromestatus.com/feature/5690888397258752
'cross-origin-isolated' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/display-capture
'display-capture' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/document-domain
'document-domain' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/encrypted-media
'encrypted-media' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://wicg.github.io/page-lifecycle/#execution-while-not-rendered
'execution-while-not-rendered' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://wicg.github.io/page-lifecycle/#execution-while-out-of-viewport
'execution-while-out-of-viewport' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/fullscreen
'fullscreen' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/geolocation
'geolocation' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/gyroscope
'gyroscope' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/magnetometer
'magnetometer' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/microphone
'microphone' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/midi
'midi' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://drafts.csswg.org/css-nav-1/
'navigation-override' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/payment
'payment' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/picture-in-picture
'picture-in-picture' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials-get
'publickey-credentials-get' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/screen-wake-lock
'screen-wake-lock' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/sync-xhr
'sync-xhr' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/usb
'usb' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/web-share
'web-share' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking
'xr-spatial-tracking' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
],
/*
* Content Security Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
*/
'csp' => [
'enable' => env('CSP_ENABLED', true),
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
'report-only' => env('CSP_REPORT_ONLY', false),
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
'report-to' => '',
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
'report-uri' => [
// uri
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
'block-all-mixed-content' => true,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
'upgrade-insecure-requests' => true,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
'base-uri' => [
'self' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src
'child-src' => [
'allow' => [
'https://www.youtube-nocookie.com/embed/'
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
'connect-src' => [
'self' => true,
'allow' => [
'https://'.parse_url(env('VITE_ECHO_ADDRESS'), PHP_URL_HOST).(parse_url(env('VITE_ECHO_ADDRESS'), PHP_URL_PORT) === null ? '' : ':'.parse_url(env('VITE_ECHO_ADDRESS'), PHP_URL_PORT)).'/socket.io/',
'wss://'.parse_url(env('VITE_ECHO_ADDRESS'), PHP_URL_HOST).(parse_url(env('VITE_ECHO_ADDRESS'), PHP_URL_PORT) === null ? '' : ':'.parse_url(env('VITE_ECHO_ADDRESS'), PHP_URL_PORT)).'/socket.io/',
'https://api.themoviedb.org/',
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
'default-src' => [
'none' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
'font-src' => [
'self' => true,
'schemes' => [
// 'data:',
// 'https:'
],
'allow' => [
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action
'form-action' => [
'self' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
'frame-ancestors' => [
'self' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
'frame-src' => [
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
'img-src' => [
'self' => true,
'schemes' => [
'data:',
'https:',
],
'allow' => [
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src
'manifest-src' => [
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
'media-src' => [
'self' => true,
'schemes' => [
// 'data:',
// 'https:',
],
'allow' => [
'https://www.youtube-nocookie.com/embed/',
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to
'navigate-to' => [
'unsafe-allow-redirects' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
'object-src' => [
'none' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types
'plugin-types' => [
// 'application/pdf',
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src
'prefetch-src' => [
],
// https://w3c.github.io/webappsec-trusted-types/dist/spec/#integration-with-content-security-policy
'require-trusted-types-for' => [
'script' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
'sandbox' => [
'enable' => false,
'allow-downloads-without-user-activation' => false,
'allow-forms' => false,
'allow-modals' => false,
'allow-orientation-lock' => false,
'allow-pointer-lock' => false,
'allow-popups' => false,
'allow-popups-to-escape-sandbox' => false,
'allow-presentation' => false,
'allow-same-origin' => false,
'allow-scripts' => false,
'allow-storage-access-by-user-activation' => false,
'allow-top-navigation' => false,
'allow-top-navigation-by-user-activation' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
'script-src' => [
'none' => false,
'self' => true,
'report-sample' => false,
'allow' => [
],
'schemes' => [
// 'data:',
// 'https:',
],
/* followings are only work for `script` and `style` related directives */
'unsafe-inline' => false,
'unsafe-eval' => true,
// https://www.w3.org/TR/CSP3/#unsafe-hashes-usage
'unsafe-hashes' => false,
// Enable `strict-dynamic` will *ignore* `self`, `unsafe-inline`,
// `allow` and `schemes`. You can find more information from:
// https://www.w3.org/TR/CSP3/#strict-dynamic-usage
'strict-dynamic' => false,
'hashes' => [
'sha256' => [
// 'sha256-hash-value-with-base64-encode',
],
'sha384' => [
// 'sha384-hash-value-with-base64-encode',
],
'sha512' => [
// 'sha512-hash-value-with-base64-encode',
],
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr
'script-src-attr' => [
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem
'script-src-elem' => [
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
'style-src' => [
'self' => true,
'unsafe-inline' => true,
'schemes' => [
// 'https:',
],
'allow' => [
'gitcdn.xyz',
'github.io',
"*.github.io",
'github.com'
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr
'style-src-attr' => [
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem
'style-src-elem' => [
],
// https://w3c.github.io/webappsec-trusted-types/dist/spec/#trusted-types-csp-directive
'trusted-types' => [
'enable' => false,
'allow-duplicates' => false,
'default' => false,
'policies' => [
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src
'worker-src' => [
],
],
];
Reference in New Issue View Git Blame Copy Permalink