1
<?php
2

3
namespace Pterodactyl\Http\Middleware;
4

5
use Illuminate\Http\Request;
6

7
class SetSecurityHeaders
8
{
9
    /**
10
     * Ideally we move away from X-Frame-Options/X-XSS-Protection and implement a
11
     * proper standard CSP, but I can guarantee that will break for a lot of folks
12
     * using custom plugins and who knows what image embeds.
13
     *
14
     * We'll circle back to that at a later date when it can be more fully controlled
15
     * by the admin to support those cases without too much trouble.
16
     */
17
    private static array $headers = [
18
        'X-Frame-Options' => 'DENY',
19
        'X-Content-Type-Options' => 'nosniff',
20
        'X-XSS-Protection' => '1; mode=block',
21
        'Referrer-Policy' => 'no-referrer-when-downgrade',
22
    ];
23

24
    /**
25
     * Enforces some basic security headers on all responses returned by the software.
26
     * If a header has already been set in another location within the code it will be
27
     * skipped over here.
28
     *
29
     * @param (\Closure(mixed): \Illuminate\Http\Response) $next
30
     */
31
    public function handle(Request $request, \Closure $next): mixed
32
    {
33
        $response = $next($request);
34

35
        foreach (static::$headers as $key => $value) {
36
            if (! $response->headers->has($key)) {
37
                $response->headers->set($key, $value);
38
            }
39
        }
40

41
        return $response;
42
    }
43
}
44

45