From 86ff1ea65e7ab86c762423ab0e6a0a6a53d69896 Mon Sep 17 00:00:00 2001
From: Greg Bowler <greg.bowler@g105b.com>
Date: Tue, 23 Jul 2019 21:23:30 +0100
Subject: [PATCH] Send security headers by default, closes #279

---
 config.default.ini |  3 +++
 src/Lifecycle.php  | 14 ++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/config.default.ini b/config.default.ini
index e76c8b6c..013c4cdb 100644
--- a/config.default.ini
+++ b/config.default.ini
@@ -17,3 +17,6 @@ query_directory=query
 migration_path=_migration
 migration_table=_migration
 query_path=query
+
+[security]
+default_headers="X-Content-Type-Options: nosniff; X-Frame-Options: deny; Content-Security-Policy: default-src 'none'"
\ No newline at end of file
diff --git a/src/Lifecycle.php b/src/Lifecycle.php
index a3dc8a15..328c8b15 100644
--- a/src/Lifecycle.php
+++ b/src/Lifecycle.php
@@ -56,6 +56,8 @@ public function start():void {
 			])
 		);
 
+		$this->defaultSecurityHeaders($config->get("security.default_headers"));
+
 		$input = new Input($_GET, $_POST, $_FILES);
 		$cookie = new CookieHandler($_COOKIE);
 
@@ -123,6 +125,18 @@ public function start():void {
 		$this->finish($response);
 	}
 
+	/**
+	 * Set some sensible security headers by default. These can be
+	 * overridden/disabled in the project's config.ini, but it makes sense
+	 * to supply them by default in order to protect user applications
+	 * without the explicit need for security configuration.
+	 */
+	public function defaultSecurityHeaders(string $headersString) {
+		foreach(explode(";", $headersString) as $header) {
+			header(trim($header));
+		}
+	}
+
 	/**
 	 * By default, PHP passes all sensitive user information around in global variables,
 	 * available for reading and modification in any code, including third party libraries.