initial commit

Author: Lars Schröder

KielCodingSecurityHeaders.php

@@ -0,0 +1,38 @@
+<?php
+
+namespace KielCodingSecurityHeaders;
+
+use Shopware\Components\Plugin;
+use Shopware\Components\Plugin\Context\ActivateContext;
+use Shopware\Components\Plugin\Context\DeactivateContext;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+class KielCodingSecurityHeaders extends Plugin
+{
+    /**
+     * @param ActivateContext $context
+     */
+    public function activate(ActivateContext $context)
+    {
+        $context->scheduleClearCache(ActivateContext::CACHE_LIST_FRONTEND);
+    }
+
+    /**
+     * @param DeactivateContext $context
+     */
+    public function deactivate(DeactivateContext $context)
+    {
+        $context->scheduleClearCache(DeactivateContext::CACHE_LIST_FRONTEND);
+    }
+
+    /**
+     * @param ContainerBuilder $container
+     */
+    public function build(ContainerBuilder $container)
+    {
+        $container->setParameter($this->getContainerPrefix() . '.plugin_dir', $this->getPath());
+        $container->setParameter($this->getContainerPrefix() . '.plugin_name', $this->getName());
+
+        parent::build($container);
+    }
+}

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) Lars Schröder
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,25 @@
+# Security Headers
+
+## Description
+Add security headers to Shopware installations.  
+Required Minimum Shopware Version: 5.2
+
+## Installation
+
+### Release Version
+
+* Download the [latest plugin version](https://github.com/kielcoding/KielCodingSecurityHeaders/releases/latest/) (e.g. `KielCodingSecurityHeaders-1.0.0.zip`).
+* Upload and install the plugin using Shopware Plugin Manager.
+
+### Git Version
+* Checkout Plugin in `/custom/plugins/KielCodingSecurityHeaders`.
+* Install the plugin using the Shopware Plugin Manager.
+
+## Usage
+* Activate the plugin and enable the security headers you want to be added to your shop.
+* Modify the default values of the security headers if needed.
+* Add additional custom headers you want to add to your shop.
+* You can verify the security headers with online security checks, e.g. [securityheaders.io](https://securityheaders.io/).
+
+## Licence
+

Resources/config.xml

@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="utf-8"?>
+<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="../../../../engine/Shopware/Components/Plugin/schema/config.xsd">
+    <elements>
+
+        <element type="boolean">
+            <name>strictTransportSecurityEnabled</name>
+            <label>Enable Strict-Transport-Security</label>
+            <label lang="de">Strict-Transport-Security aktivieren</label>
+            <value>true</value>
+        </element>
+        <element type="boolean">
+            <name>xFrameOptionsEnabled</name>
+            <label>Enable X-Frame-Options</label>
+            <label lang="de">X-Frame-Options aktivieren</label>
+            <value>true</value>
+        </element>
+        <element type="boolean">
+            <name>xXssProtectionEnabled</name>
+            <label>Enable X-XSS-Protection</label>
+            <label lang="de">X-XSS-Protection aktivieren</label>
+            <value>true</value>
+        </element>
+        <element type="boolean">
+            <name>xContentTypeOptionsEnabled</name>
+            <label>Enable X-Content-Type-Options</label>
+            <label lang="de">X-Content-Type-Options aktivieren</label>
+            <value>true</value>
+        </element>
+        <element type="boolean">
+            <name>referrerPolicyEnabled</name>
+            <label>Enable Referrer-Policy</label>
+            <label lang="de">Referrer-Policy aktivieren</label>
+            <value>true</value>
+        </element>
+        <element type="boolean">
+            <name>contentSecurityPolicyEnabled</name>
+            <label>Enable Content-Security-Policy</label>
+            <label lang="de">Content-Security-Policy aktivieren</label>
+            <value>true</value>
+        </element>
+        <element type="boolean">
+            <name>xPoweredByDisabled</name>
+            <label>Disable X-Powered-By</label>
+            <label lang="de">X-Powered-By deaktivieren</label>
+            <value>true</value>
+        </element>
+
+        <element>
+            <name>strictTransportSecurity</name>
+            <label>Strict-Transport-Security</label>
+            <value>max-age=31536000; includeSubDomains</value>
+        </element>
+        <element>
+            <name>xFrameOptions</name>
+            <label>X-Frame-Options</label>
+            <value>SAMEORIGIN</value>
+        </element>
+        <element>
+            <name>xXssProtection</name>
+            <label>X-XSS-Protection</label>
+            <value>1; mode=block</value>
+        </element>
+        <element>
+            <name>xContentTypeOptions</name>
+            <label>X-Content-Type-Options</label>
+            <value>nosniff</value>
+        </element>
+        <element>
+            <name>referrerPolicy</name>
+            <label>Referrer-Policy</label>
+            <value>no-referrer</value>
+        </element>
+        <element>
+            <name>contentSecurityPolicy</name>
+            <label>Content-Security-Policy</label>
+            <value>default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval' data:; style-src https: 'unsafe-inline'; font-src https: data:</value>
+        </element>
+        <element type="textarea">
+            <name>customHeaders</name>
+            <label>Custom Headers</label>
+            <label lang="de">Eigene Headers</label>
+            <description>E.g. X-Powered-By: My Company Name</description>
+            <description lang="de">Z.B. X-Powered-By: Mein Firmenname</description>
+        </element>
+    </elements>
+</config>

Resources/services.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+<container xmlns="http://symfony.com/schema/dic/services"
+           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+           xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+    <services>
+        <service id="kiel_coding_trusted_shops_reviews.subscriber.frontend" class="KielCodingSecurityHeaders\Subscriber\Frontend">
+            <argument type="service" id="service_container" />
+            <tag name="shopware.event_subscriber" />
+        </service>
+    </services>
+</container>

Subscriber/Frontend.php

@@ -0,0 +1,141 @@
+<?php
+
+namespace KielCodingSecurityHeaders\Subscriber;
+
+use Enlight\Event\SubscriberInterface;
+use Shopware\Models\Shop\DetachedShop;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+
+class Frontend implements SubscriberInterface
+{
+    /**
+     * @var ContainerInterface
+     */
+    private $container;
+
+    /**
+     * @var
+     */
+    private $config;
+
+    /**
+     * @param ContainerInterface $container
+     */
+    public function __construct(ContainerInterface $container)
+    {
+        $this->container = $container;
+        $this->config = $this->getPluginConfig();
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public static function getSubscribedEvents()
+    {
+        return [
+            'Enlight_Controller_Action_PostDispatchSecure_Frontend_Index' => 'onPostDispatch',
+        ];
+    }
+
+    /**
+     * @param \Enlight_Controller_ActionEventArgs $args
+     */
+    public function onPostDispatch(\Enlight_Controller_ActionEventArgs $args)
+    {
+        $response = $args->getResponse();
+
+        $this->setSecurityHeaders($response);
+        $this->setCustomHeaders($response);
+        $this->removeInsecureHeaders($response);
+    }
+
+    /**
+     * @param \Enlight_Controller_Response_ResponseHttp $response
+     */
+    private function setSecurityHeaders(\Enlight_Controller_Response_ResponseHttp $response)
+    {
+        if ($this->config['strictTransportSecurityEnabled']) {
+            $response->setHeader('Strict-Transport-Security', $this->config['strictTransportSecurity']);
+        }
+        if ($this->config['xFrameOptionsEnabled']) {
+            $response->setHeader('X-Frame-Options', $this->config['xFrameOptions']);
+        }
+        if ($this->config['xXssProtectionEnabled']) {
+            $response->setHeader('X-XSS-Protection', $this->config['xXssProtection']);
+        }
+        if ($this->config['xContentTypeOptionsEnabled']) {
+            $response->setHeader('X-Content-Type-Options', $this->config['xContentTypeOptions']);
+        }
+        if ($this->config['referrerPolicyEnabled']) {
+            $response->setHeader('Referrer-Policy', $this->config['referrerPolicy']);
+        }
+        if ($this->config['contentSecurityPolicyEnabled'] && $this->isSecure()) {
+            if ($this->config['contentSecurityPolicyDebug']) {
+                $response->setHeader('Content-Security-Policy', $this->config['contentSecurityPolicy']);
+            } else {
+                $response->setHeader('Content-Security-Policy-Report-Only', $this->config['contentSecurityPolicy']);
+            }
+        }
+    }
+
+    /**
+     * @param \Enlight_Controller_Response_ResponseHttp $response
+     */
+    private function setCustomHeaders(\Enlight_Controller_Response_ResponseHttp $response)
+    {
+        foreach ($this->getCustomHeaders() as $header => $value) {
+            $response->setHeader($header, $value);
+        }
+    }
+
+    /**
+     * @param \Enlight_Controller_Response_ResponseHttp $response
+     */
+    private function removeInsecureHeaders(\Enlight_Controller_Response_ResponseHttp $response)
+    {
+        if ($this->config['xPoweredByDisabled']) {
+            @ini_set('expose_php', 'off');
+        }
+    }
+
+    /**
+     * @return array
+     */
+    private function getCustomHeaders()
+    {
+        if (empty($this->config['customHeaders'])) {
+            return [];
+        }
+
+        $headers = explode('\n', $this->config['customHeaders']);
+
+        $headersFormatted = [];
+        foreach ($headers as $header) {
+            $headerParts = explode(':', $header);
+            $headersFormatted[$headerParts[0]] = $headerParts[1];
+        }
+
+        return $headersFormatted;
+    }
+
+    /**
+     * @return array
+     */
+    private function getPluginConfig()
+    {
+        $pluginName = $this->container->getParameter('kiel_coding_security_headers.plugin_name');
+
+        return $this->container->get('shopware.plugin.cached_config_reader')->getByPluginName($pluginName);
+    }
+
+    /**
+     * @return bool
+     */
+    private function isSecure()
+    {
+        /** @var DetachedShop $shop */
+        $shop = $this->container->get('shop');
+
+        return $shop->getSecure();
+    }
+}

plugin.png

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="../../../engine/Shopware/Components/Plugin/schema/plugin.xsd">
+    <label>Security Headers</label>
+    <version>1.0.0</version>
+
+    <author>Kiel Coding</author>
+    <copyright>(c) by Kiel Coding</copyright>
+    <link>https://kielcoding.de</link>
+    <license>proprietary</license>
+    <compatibility minVersion="5.2.0" />
+
+    <changelog version="1.0.0">
+        <changes>Initial Release</changes>
+        <changes lang="de">Erste Veröffentlichung</changes>
+    </changelog>
+</plugin>