Skip to content

Commit 9cabfc5

Browse files
mckenzieartsmckenziearts
committed
🔒 Add treblle security headers middleware on graphql skeleton
1 parent 90d5f04 commit 9cabfc5

File tree

8 files changed

+148
-9
lines changed

8 files changed

+148
-9
lines changed

projects/default-graphql/README.md

-2
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,3 @@
1-
<img src="/art/graphql.png" alt="Laravel API Skeleton" align="center">
2-
31
# Laravel API Skeleton - Example
42
This project is a skeleton for building an API with Laravel and GraphQL. It is the simplest skeleton and contains only the basic files and dependencies
53
to start building your API with GraphQL.

projects/default-graphql/app/Http/Middleware/Security/XFrameOptionMiddleware.php

+26
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
<?php
2+
3+
declare(strict_types=1);
4+
5+
namespace App\Http\Middleware\Security;
6+
7+
use Closure;
8+
use Illuminate\Http\Request;
9+
use Symfony\Component\HttpFoundation\Response;
10+
11+
final class XFrameOptionMiddleware
12+
{
13+
public function handle(Request $request, Closure $next): Response
14+
{
15+
/**
16+
* @var Response $response
17+
*/
18+
$response = $next($request);
19+
20+
$response->headers->add([
21+
'X-Frame-Options' => 'deny',
22+
]);
23+
24+
return $response;
25+
}
26+
}

projects/default-graphql/composer.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,8 @@
2222
"laravel/tinker": "^2.8.1",
2323
"mll-lab/laravel-graphiql": "^3.0",
2424
"nuwave/lighthouse": "^6.12",
25-
"timacdonald/json-api": "v1.0.0-beta.4"
25+
"timacdonald/json-api": "v1.0.0-beta.4",
26+
"treblle/security-headers": "^0.0.3"
2627
},
2728
"require-dev": {
2829
"fakerphp/faker": "^1.21.0",

projects/default-graphql/composer.lock

+65-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

projects/default-graphql/config/headers.php

+22
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
<?php
2+
3+
declare(strict_types=1);
4+
5+
return [
6+
'remove' => [
7+
'X-Powered-By',
8+
'x-powered-by',
9+
'Server',
10+
'server',
11+
],
12+
13+
'referrer-policy' => 'no-referrer-when-downgrade',
14+
15+
'strict-transport-security' => 'max-age=31536000; includeSubDomains',
16+
17+
'certificate-transparency' => 'enforce, max-age=30',
18+
19+
'permissions-policy' => 'autoplay=(self), camera=(), encrypted-media=(self), fullscreen=(), geolocation=(self), gyroscope=(self), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(self), usb=()',
20+
21+
'content-type-options' => 'nosniff',
22+
];

projects/default-graphql/core/Http/Kernel.php

+14
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
use App\Http\Middleware\EnsureEmailIsVerified;
99
use App\Http\Middleware\ContentTypeMiddleware;
1010
use App\Http\Middleware\PreventRequestsDuringMaintenance;
11+
use App\Http\Middleware\Security\XFrameOptionMiddleware;
1112
use App\Http\Middleware\TrimStrings;
1213
use App\Http\Middleware\TrustProxies;
1314
use App\Http\Middleware\ValidateSignature;
@@ -20,6 +21,12 @@
2021
use Illuminate\Http\Middleware\HandleCors;
2122
use Illuminate\Http\Middleware\SetCacheHeaders;
2223
use Illuminate\Routing\Middleware\ThrottleRequests;
24+
use Treblle\SecurityHeaders\Http\Middleware\CertificateTransparencyPolicy;
25+
use Treblle\SecurityHeaders\Http\Middleware\ContentTypeOptions;
26+
use Treblle\SecurityHeaders\Http\Middleware\PermissionsPolicy;
27+
use Treblle\SecurityHeaders\Http\Middleware\RemoveHeaders;
28+
use Treblle\SecurityHeaders\Http\Middleware\SetReferrerPolicy;
29+
use Treblle\SecurityHeaders\Http\Middleware\StrictTransportSecurity;
2330

2431
final class Kernel extends HttpKernel
2532
{
@@ -39,6 +46,13 @@ final class Kernel extends HttpKernel
3946
ThrottleRequests::class.':api',
4047
ContentTypeMiddleware::class,
4148
CacheHeaders::class,
49+
RemoveHeaders::class,
50+
StrictTransportSecurity::class,
51+
SetReferrerPolicy::class,
52+
PermissionsPolicy::class,
53+
ContentTypeOptions::class,
54+
CertificateTransparencyPolicy::class,
55+
XFrameOptionMiddleware::class,
4256
],
4357
];
4458

projects/default-graphql/stubs/middleware.stub

-5
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,6 @@ use Symfony\Component\HttpFoundation\Response;
1010

1111
final class {{ class }}
1212
{
13-
/**
14-
* Handle an incoming request.
15-
*
16-
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
17-
*/
1813
public function handle(Request $request, Closure $next): Response
1914
{
2015
return $next($request);

skeleton/stubs/README.stub

+19
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,25 @@ and you'll need to do another compose install to install the Laravel project's d
4848
./skeleton/bin/project use {skeleton-name}
4949
```
5050

51+
## Autoload
52+
When you use a skeleton, it will overwrite the default root composer.json file and the commands for generating the project will no longer be available. To fix this, you need to autoload the skeleton folder using psr-4. Like this:
53+
54+
```json
55+
{
56+
"autoload": {
57+
"psr-4": {
58+
"App\\": "app/",
59+
"Core\\": "core/",
60+
"Skeleton\\": "skeleton/",
61+
"Database\\Factories\\": "database/factories/",
62+
"Database\\Seeders\\": "database/seeders/"
63+
}
64+
}
65+
}
66+
```
67+
68+
**Tip: don't forget to run composer dump-autoload afterward.**
69+
5170
Once you have built your skeleton and are satisfied with your work, you can generate a project and all the modifications you have made will be added only to the skeleton you have created.
5271

5372
```bash

0 commit comments

Comments
 (0)