From 581dcae2efbe2d9aede869cd5c51825a8fa77ce7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Mon, 8 Jun 2020 20:23:35 +0200 Subject: [PATCH] Added some basic security configuration with NelmioSecurityBundle. --- composer.json | 1 + composer.lock | 182 ++++++++++++++++++++++++++- config/bundles.php | 1 + config/packages/nelmio_security.yaml | 31 +++++ symfony.lock | 18 +++ 5 files changed, 232 insertions(+), 1 deletion(-) create mode 100644 config/packages/nelmio_security.yaml diff --git a/composer.json b/composer.json index 6c34ae5b..daa64f78 100644 --- a/composer.json +++ b/composer.json @@ -21,6 +21,7 @@ "gregwar/captcha-bundle": "^2.1.0", "league/html-to-markdown": "^4.8", "liip/imagine-bundle": "^2.2", + "nelmio/security-bundle": "^2.9", "nyholm/psr7": "^1.1", "ocramius/proxy-manager": "2.2.*", "omines/datatables-bundle": "^0.4.0", diff --git a/composer.lock b/composer.lock index 84b76582..1aa190a0 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "4c03a0cabed4fc08ab4f6e0fe85dd2bf", + "content-hash": "00430370b53cd18db3a0a78b70ab6b93", "packages": [ { "name": "beberlei/assert", @@ -168,6 +168,62 @@ ], "time": "2020-04-15T15:59:35+00:00" }, + { + "name": "composer/ca-bundle", + "version": "1.2.7", + "source": { + "type": "git", + "url": "https://github.com/composer/ca-bundle.git", + "reference": "95c63ab2117a72f48f5a55da9740a3273d45b7fd" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/composer/ca-bundle/zipball/95c63ab2117a72f48f5a55da9740a3273d45b7fd", + "reference": "95c63ab2117a72f48f5a55da9740a3273d45b7fd", + "shasum": "" + }, + "require": { + "ext-openssl": "*", + "ext-pcre": "*", + "php": "^5.3.2 || ^7.0 || ^8.0" + }, + "require-dev": { + "phpunit/phpunit": "^4.8.35 || ^5.7 || 6.5 - 8", + "psr/log": "^1.0", + "symfony/process": "^2.5 || ^3.0 || ^4.0 || ^5.0" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.x-dev" + } + }, + "autoload": { + "psr-4": { + "Composer\\CaBundle\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Jordi Boggiano", + "email": "j.boggiano@seld.be", + "homepage": "http://seld.be" + } + ], + "description": "Lets you find a path to the system CA bundle, and includes a fallback to the Mozilla CA bundle.", + "keywords": [ + "cabundle", + "cacert", + "certificate", + "ssl", + "tls" + ], + "time": "2020-04-08T08:27:21+00:00" + }, { "name": "doctrine/annotations", "version": "1.10.3", @@ -2330,6 +2386,73 @@ ], "time": "2020-05-22T08:12:19+00:00" }, + { + "name": "nelmio/security-bundle", + "version": "v2.9.1", + "source": { + "type": "git", + "url": "https://github.com/nelmio/NelmioSecurityBundle.git", + "reference": "89ac385b28496691bfa7eef24d60aec9f20021a1" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/nelmio/NelmioSecurityBundle/zipball/89ac385b28496691bfa7eef24d60aec9f20021a1", + "reference": "89ac385b28496691bfa7eef24d60aec9f20021a1", + "shasum": "" + }, + "require": { + "paragonie/random_compat": "~1.0|~2.0|9.99.99", + "php": ">5.4", + "symfony/framework-bundle": "~2.3|~v3.0|~4.0|~5.0", + "symfony/security-core": "~2.3|~3.0|~4.0|~5.0", + "symfony/security-csrf": "~2.3|~3.0|~4.0|~5.0", + "symfony/security-http": "~2.3|~3.0|~4.0|~5.0", + "ua-parser/uap-php": "^3.4.4" + }, + "require-dev": { + "doctrine/cache": "^1.0", + "psr/cache": "^1.0", + "symfony/phpunit-bridge": "^5.0.5", + "symfony/yaml": "~2.3|~3.0|~4.0|~5.0", + "twig/twig": "^1.38|^2.10|^3.0" + }, + "suggest": { + "ua-parser/uap-php": "To allow adapt CSP directives given the user-agent" + }, + "type": "symfony-bundle", + "extra": { + "branch-alias": { + "dev-master": "2.9.x-dev" + } + }, + "autoload": { + "psr-4": { + "Nelmio\\SecurityBundle\\": "" + }, + "exclude-from-classmap": [ + "/Tests/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Nelmio", + "homepage": "http://nelm.io" + }, + { + "name": "Symfony Community", + "homepage": "https://github.com/nelmio/NelmioSecurityBundle/contributors" + } + ], + "description": "Extra security-related features for Symfony: signed/encrypted cookies, HTTPS/SSL/HSTS handling, cookie session storage, ...", + "keywords": [ + "security" + ], + "time": "2020-05-11T08:12:17+00:00" + }, { "name": "nikic/php-parser", "version": "v4.5.0", @@ -9639,6 +9762,63 @@ ], "time": "2020-02-11T15:33:47+00:00" }, + { + "name": "ua-parser/uap-php", + "version": "v3.9.8", + "source": { + "type": "git", + "url": "https://github.com/ua-parser/uap-php.git", + "reference": "fde0bd76ebd21cebfabc90a3a0d927754cb4f739" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/ua-parser/uap-php/zipball/fde0bd76ebd21cebfabc90a3a0d927754cb4f739", + "reference": "fde0bd76ebd21cebfabc90a3a0d927754cb4f739", + "shasum": "" + }, + "require": { + "composer/ca-bundle": "^1.1", + "php": "^7.2" + }, + "require-dev": { + "phpunit/phpunit": "^7 || ^8 || ^9", + "symfony/console": "^3.4 || ^4.3 || ^5.0", + "symfony/filesystem": "^3.4 || ^4.3 || ^5.0", + "symfony/finder": "^3.4 || ^4.3 || ^5.0", + "symfony/yaml": "^3.4 || ^4.3 || ^5.0" + }, + "suggest": { + "symfony/console": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0", + "symfony/filesystem": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0", + "symfony/finder": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0", + "symfony/yaml": "Required for CLI usage - ^3.4 || ^4.3 || ^5.0" + }, + "bin": [ + "bin/uaparser" + ], + "type": "library", + "autoload": { + "psr-4": { + "UAParser\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Dave Olsen", + "email": "dmolsen@gmail.com" + }, + { + "name": "Lars Strojny", + "email": "lars@strojny.net" + } + ], + "description": "A multi-language port of Browserscope's user agent parser.", + "time": "2020-04-28T08:09:42+00:00" + }, { "name": "webmozart/assert", "version": "1.8.0", diff --git a/config/bundles.php b/config/bundles.php index 7cdfba52..d88c4a6e 100644 --- a/config/bundles.php +++ b/config/bundles.php @@ -25,4 +25,5 @@ return [ Translation\Bundle\TranslationBundle::class => ['all' => true], Symplify\ParameterNameGuard\ParameterNameGuardBundle::class => ['dev' => true, 'test' => true], Florianv\SwapBundle\FlorianvSwapBundle::class => ['all' => true], + Nelmio\SecurityBundle\NelmioSecurityBundle::class => ['all' => true], ]; diff --git a/config/packages/nelmio_security.yaml b/config/packages/nelmio_security.yaml new file mode 100644 index 00000000..f9b5cd32 --- /dev/null +++ b/config/packages/nelmio_security.yaml @@ -0,0 +1,31 @@ +nelmio_security: + # prevents framing of the entire site + clickjacking: + paths: + '^/.*': SAMEORIGIN + + # disables content type sniffing for script resources + content_type: + nosniff: true + + # prevents redirections outside the website's domain + external_redirects: + abort: true + log: true + + # forces Microsoft's XSS-Protection with + # its block mode + xss_protection: + enabled: true + mode_block: true + + # Send a full URL in the `Referer` header when performing a same-origin request, + # only send the origin of the document to secure destination (HTTPS->HTTPS), + # and send no header to a less secure destination (HTTPS->HTTP). + # If `strict-origin-when-cross-origin` is not supported, use `no-referrer` policy, + # no referrer information is sent along with requests. + referrer_policy: + enabled: true + policies: + - 'no-referrer' + - 'strict-origin-when-cross-origin' diff --git a/symfony.lock b/symfony.lock index cd596e81..1145bb6e 100644 --- a/symfony.lock +++ b/symfony.lock @@ -14,6 +14,9 @@ "brick/math": { "version": "0.8.15" }, + "composer/ca-bundle": { + "version": "1.2.7" + }, "composer/semver": { "version": "1.5.0" }, @@ -214,6 +217,18 @@ "monolog/monolog": { "version": "1.24.0" }, + "nelmio/security-bundle": { + "version": "2.4", + "recipe": { + "repo": "github.com/symfony/recipes", + "branch": "master", + "version": "2.4", + "ref": "65726efb67ff51d89de38195bc0d230fa811f64d" + }, + "files": [ + "./config/packages/nelmio_security.yaml" + ] + }, "netresearch/jsonmapper": { "version": "v1.6.0" }, @@ -915,6 +930,9 @@ "twig/twig": { "version": "v2.6.2" }, + "ua-parser/uap-php": { + "version": "v3.9.8" + }, "vimeo/psalm": { "version": "3.5.1" },