Config variable for HSTS

.env.example

@@ -71,6 +71,7 @@ ALLOW_IFRAMING=false
 REFERRER_POLICY=same-origin
 ENABLE_CSP=false
 CORS_ALLOWED_ORIGINS=null
+ENABLE_HSTS=false
 
 # --------------------------------------------
 # OPTIONAL: CACHE SETTINGS

app/Http/Middleware/SecurityHeaders.php

@@ -24,24 +24,39 @@ public function handle($request, Closure $next)
     {
         $this->removeUnwantedHeaders($this->unwantedHeaderList);
         $response = $next($request);
+
         $response->headers->set('Referrer-Policy', config('app.referrer_policy'));
         $response->headers->set('X-Content-Type-Options', 'nosniff');
         $response->headers->set('X-XSS-Protection', '1; mode=block');
-        $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        $response->headers->set('Feature-Policy', 'self');
 
         if (config('app.allow_iframing') == false) {
             $response->headers->set('X-Frame-Options', 'DENY');
         }
 
-        $policy[] = "default-src 'self'";
-        $policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
-        $policy[] = "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdnjs.cloudflare.com";
-        $policy[] = "connect-src 'self'";
-        $policy[] = "object-src 'none'";
-        $policy[] = "font-src 'self' data:";
-        $policy[] = "img-src 'self' data: gravatar.com";
-        $policy = join(';', $policy);
-        $response->headers->set('Content-Security-Policy', $policy);
+
+        // This defaults to false to maintain backwards compatibility
+        // people who are not running Snipe-IT over TLS (shame, shame, shame!)
+        // Seriously though, please run Snipe-IT over TLS. Let's Encrypt is free.
+        // https://letsencrypt.org
+
+        if (config('app.enable_hsts') === true) {
+            $response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+        }
+
+        // We have to exclude debug mode here because debugbar pulls from a CDN or two
+        // and it will break things.
+        if ((config('app.debug')!='true')  || (config('app.enable_csp')=='true')) {
+            $policy[] = "default-src 'self'";
+            $policy[] = "style-src 'self' 'unsafe-inline'";
+            $policy[] = "script-src 'self' 'unsafe-inline'";
+            $policy[] = "connect-src 'self'";
+            $policy[] = "object-src 'none'";
+            $policy[] = "font-src 'self' data:";
+            $policy[] = "img-src 'self' data: gravatar.com";
+            $policy = join(';', $policy);
+            $response->headers->set('Content-Security-Policy', $policy);
+        }
 
         return $response;
     }

config/app.php

@@ -196,19 +196,33 @@
     'private_uploads' => storage_path().'/private_uploads',
 
 
+    /*
+   |--------------------------------------------------------------------------
+   | ALLOW I-FRAMING
+   |--------------------------------------------------------------------------
+   |
+   | Normal users will never need to edit this. This option lets you run
+   | Snipe-IT within an I-Frame, which is normally disabled by default for
+   | security reasons, to prevent clickjacking. It should normally be set to false.
+   |
+   */
+
+    'allow_iframing' => env('ALLOW_IFRAMING', false),
+
+
     /*
     |--------------------------------------------------------------------------
-    | ALLOW I-FRAMING
+    | ENABLE HTTP Strict Transport Security (HSTS)
     |--------------------------------------------------------------------------
     |
-    | Normal users will never need to edit this. This option lets you run
-    | Snipe-IT within an I-Frame, which is normally disabled by default for
-    | security reasons, to prevent clickjacking. It should normally be set to false.
+    | This is set to default false for backwards compatibilty but should be
+    | set to true if the hosting environment allows it.
+    |
+    | See https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
     |
     */
 
-    'allow_iframing' => env('ALLOW_IFRAMING', false),
-
+    'enable_hsts' => env('ENABLE_HSTS', false),
 
     /*
     |--------------------------------------------------------------------------