From ce1692eaf422dc3603273630346d4ea8e85a530a Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Sun, 17 Nov 2024 20:39:27 +0100
Subject: [PATCH] Add Content Security Policy

---
 .env.example                                  |  8 +++++
 app/Http/Controllers/SinglePageController.php |  3 ++
 .../AddContentSecurityPolicyHeaders.php       | 29 +++++++++++++++++++
 config/2fauth.php                             |  1 +
 resources/views/landing.blade.php             |  2 +-
 routes/web.php                                |  3 +-
 6 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 app/Http/Middleware/AddContentSecurityPolicyHeaders.php

diff --git a/.env.example b/.env.example
index a7168a67..3affa391 100644
--- a/.env.example
+++ b/.env.example
@@ -274,6 +274,14 @@ TRUSTED_PROXIES=null
 PROXY_FOR_OUTGOING_REQUESTS=null
 
 
+# Set this to true to enable Content-Security-Policy (CSP).
+# CSP helps to prevent or minimize the risk of certain types of security threats.
+# This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
+# an attacker is able to inject malicious code into the web app
+
+CONTENT_SECURITY_POLICY=true
+
+
 # Leave the following configuration vars as is.
 # Unless you like to tinker and know what you're doing.
 
diff --git a/app/Http/Controllers/SinglePageController.php b/app/Http/Controllers/SinglePageController.php
index b1c4d01d..a5b92094 100644
--- a/app/Http/Controllers/SinglePageController.php
+++ b/app/Http/Controllers/SinglePageController.php
@@ -6,6 +6,7 @@
 use App\Facades\Settings;
 use Illuminate\Support\Facades\App;
 use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Vite;
 
 class SinglePageController extends Controller
 {
@@ -32,6 +33,7 @@ public function index()
         $installDocUrl      = config('2fauth.installDocUrl');
         $ssoDocUrl          = config('2fauth.ssoDocUrl');
         $exportSchemaUrl    = config('2fauth.exportSchemaUrl');
+        $cspNonce           = Vite::cspNonce();
 
         // if (Auth::user()->preferences)
 
@@ -57,6 +59,7 @@ public function index()
             'isTestingApp'       => $isTestingApp,
             'lang'               => $lang,
             'locales'            => $locales,
+            'cspNonce'           => $cspNonce,
         ]);
     }
 }
diff --git a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
new file mode 100644
index 00000000..022a1001
--- /dev/null
+++ b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
@@ -0,0 +1,29 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Vite;
+use Symfony\Component\HttpFoundation\Response;
+
+class AddContentSecurityPolicyHeaders
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next) : Response
+    {
+        if (config('2fauth.config.contentSecurityPolicy')) {
+            Vite::useCspNonce();
+
+            return $next($request)->withHeaders([
+                'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';base-uri 'none';",
+            ]);
+        }
+
+        return $next($request);
+    }
+}
diff --git a/config/2fauth.php b/config/2fauth.php
index 8aae6fce..16228fa2 100644
--- a/config/2fauth.php
+++ b/config/2fauth.php
@@ -31,6 +31,7 @@
         'proxyLogoutUrl' => env('PROXY_LOGOUT_URL', null),
         'appSubdirectory' => env('APP_SUBDIRECTORY', ''),
         'authLogRetentionTime' => envUnlessEmpty('AUTHENTICATION_LOG_RETENTION', 365),
+        'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', true),
     ],
 
     /*
diff --git a/resources/views/landing.blade.php b/resources/views/landing.blade.php
index cf733413..be516c0b 100644
--- a/resources/views/landing.blade.php
+++ b/resources/views/landing.blade.php
@@ -22,7 +22,7 @@
     <div id="app">
         <app></app>
     </div>
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ $cspNonce }}">
         var appSettings = {!! $appSettings !!};
         var appConfig = {!! $appConfig !!};
         var urls = {!! $urls !!};
diff --git a/routes/web.php b/routes/web.php
index a555b53b..c620427a 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -14,6 +14,7 @@
 use App\Http\Controllers\Auth\WebAuthnRegisterController;
 use App\Http\Controllers\SinglePageController;
 use App\Http\Controllers\SystemController;
+use App\Http\Middleware\AddContentSecurityPolicyHeaders;
 use App\Http\Middleware\CustomCreateFreshApiToken;
 use App\Http\Middleware\SetLanguage;
 use Illuminate\Routing\Middleware\SubstituteBindings;
@@ -117,4 +118,4 @@
 /**
  * Route for the main landing view
  */
-Route::get('/{any}', [SinglePageController::class, 'index'])->where('any', '.*')->name('landing');
+Route::get('/{any}', [SinglePageController::class, 'index'])->where('any', '.*')->name('landing')->middleware(AddContentSecurityPolicyHeaders::class);