Merge pull request #2 from laravelcm/security-api

Security api

Author: mckenziearts

README.md

@@ -48,6 +48,25 @@ and you'll need to do another compose install to install the Laravel project's d
 ./skeleton/bin/project use {skeleton-name}
 ```
 
+## Autoload 
+When you use a skeleton, it will overwrite the default root composer.json file and the commands for generating the project will no longer be available. To fix this, you need to autoload the skeleton folder using psr-4. Like this:
+
+```json
+{
+    "autoload": {
+        "psr-4": {
+            "App\\": "app/",
+            "Core\\": "core/",
+            "Skeleton\\": "skeleton/",
+            "Database\\Factories\\": "database/factories/",
+            "Database\\Seeders\\": "database/seeders/"
+        }
+    }
+}
+```
+
+**Tip: don't forget to run composer dump-autoload afterward.**
+
 Once you have built your skeleton and are satisfied with your work, you can generate a project and all the modifications you have made will be added only to the skeleton you have created.
 
 ```bash

projects/default-graphql/README.md

@@ -1,5 +1,3 @@
-<img src="/art/graphql.png" alt="Laravel API Skeleton" align="center">
-
 # Laravel API Skeleton - Example
 This project is a skeleton for building an API with Laravel and GraphQL. It is the simplest skeleton and contains only the basic files and dependencies 
 to start building your API with GraphQL.

projects/default-graphql/app/Http/Middleware/Security/XFrameOptionMiddleware.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware\Security;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class XFrameOptionMiddleware
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /**
+         * @var Response $response
+         */
+        $response = $next($request);
+
+        $response->headers->add([
+            'X-Frame-Options' => 'deny',
+        ]);
+
+        return $response;
+    }
+}

projects/default-graphql/composer.json

@@ -22,7 +22,8 @@
     "laravel/tinker": "^2.8.1",
     "mll-lab/laravel-graphiql": "^3.0",
     "nuwave/lighthouse": "^6.12",
-    "timacdonald/json-api": "v1.0.0-beta.4"
+    "timacdonald/json-api": "v1.0.0-beta.4",
+    "treblle/security-headers": "^0.0.3"
   },
   "require-dev": {
     "fakerphp/faker": "^1.21.0",

projects/default-graphql/composer.lock

@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+return [
+    'remove' => [
+        'X-Powered-By',
+        'x-powered-by',
+        'Server',
+        'server',
+    ],
+
+    'referrer-policy' => 'no-referrer-when-downgrade',
+
+    'strict-transport-security' => 'max-age=31536000; includeSubDomains',
+
+    'certificate-transparency' => 'enforce, max-age=30',
+
+    'permissions-policy' => 'autoplay=(self), camera=(), encrypted-media=(self), fullscreen=(), geolocation=(self), gyroscope=(self), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(self), usb=()',
+
+    'content-type-options' => 'nosniff',
+];

projects/default-graphql/config/headers.php

@@ -6,8 +6,9 @@
 
 use App\Http\Middleware\CacheHeaders;
 use App\Http\Middleware\EnsureEmailIsVerified;
-use App\Http\Middleware\JsonApiResponseMiddleware;
+use App\Http\Middleware\ContentTypeMiddleware;
 use App\Http\Middleware\PreventRequestsDuringMaintenance;
+use App\Http\Middleware\Security\XFrameOptionMiddleware;
 use App\Http\Middleware\TrimStrings;
 use App\Http\Middleware\TrustProxies;
 use App\Http\Middleware\ValidateSignature;
@@ -20,6 +21,12 @@
 use Illuminate\Http\Middleware\HandleCors;
 use Illuminate\Http\Middleware\SetCacheHeaders;
 use Illuminate\Routing\Middleware\ThrottleRequests;
+use Treblle\SecurityHeaders\Http\Middleware\CertificateTransparencyPolicy;
+use Treblle\SecurityHeaders\Http\Middleware\ContentTypeOptions;
+use Treblle\SecurityHeaders\Http\Middleware\PermissionsPolicy;
+use Treblle\SecurityHeaders\Http\Middleware\RemoveHeaders;
+use Treblle\SecurityHeaders\Http\Middleware\SetReferrerPolicy;
+use Treblle\SecurityHeaders\Http\Middleware\StrictTransportSecurity;
 
 final class Kernel extends HttpKernel
 {
@@ -37,8 +44,15 @@ final class Kernel extends HttpKernel
 
         'api' => [
             ThrottleRequests::class.':api',
-            JsonApiResponseMiddleware::class,
+            ContentTypeMiddleware::class,
             CacheHeaders::class,
+            RemoveHeaders::class,
+            StrictTransportSecurity::class,
+            SetReferrerPolicy::class,
+            PermissionsPolicy::class,
+            ContentTypeOptions::class,
+            CertificateTransparencyPolicy::class,
+            XFrameOptionMiddleware::class,
         ],
     ];
 

projects/default-graphql/core/Http/Kernel.php

@@ -10,11 +10,6 @@ use Symfony\Component\HttpFoundation\Response;
 
 final class {{ class }}
 {
-    /**
-     * Handle an incoming request.
-     *
-     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
-     */
     public function handle(Request $request, Closure $next): Response
     {
         return $next($request);

projects/default-graphql/stubs/middleware.stub

@@ -1,4 +1,4 @@
-APP_NAME=Laravel
+APP_NAME="Laravel API Skeleton"
 APP_ENV=local
 APP_KEY=
 APP_DEBUG=true
@@ -11,7 +11,7 @@ LOG_LEVEL=debug
 DB_CONNECTION=mysql
 DB_HOST=127.0.0.1
 DB_PORT=3306
-DB_DATABASE=api_boilerplate_laravel
+DB_DATABASE=api
 DB_USERNAME=root
 DB_PASSWORD=
 

projects/default/.env.example

@@ -1,8 +1,8 @@
-# Laravel API Skeleton - Default
+# Laravel API Skeleton - Example
 This project is a skeleton for building an API with Laravel. It is the simplest skeleton and contains only the basic packages to build an API.
 
 ## Installation
 
 ```bash
-composer require laravelcm/api-skeleton-default
+composer require laravelcm/api-skeleton
 ```

projects/default/README.md

@@ -8,7 +8,7 @@
 use Illuminate\Http\Request;
 use Symfony\Component\HttpFoundation\Response;
 
-final class JsonApiResponseMiddleware
+final class ContentTypeMiddleware
 {
     public function handle(Request $request, Closure $next): Response
     {
@@ -17,10 +17,10 @@ public function handle(Request $request, Closure $next): Response
          */
         $response = $next($request);
 
-        $response->headers->set(
-            key: 'Content-Type',
-            values: 'application/vnd.api+json',
-        );
+        $response->headers->add([
+            'Accept' => 'application/json',
+            'Content-Type' => 'application/vnd.api+json',
+        ]);
 
         return $response;
     }

projects/default/app/Http/Middleware/JsonApiResponseMiddleware.php renamed to projects/default/app/Http/Middleware/ContentTypeMiddleware.php

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Middleware\Security;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+final class XFrameOptionMiddleware
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        /**
+         * @var Response $response
+         */
+        $response = $next($request);
+
+        $response->headers->add([
+            'X-Frame-Options' => 'deny',
+        ]);
+
+        return $response;
+    }
+}

projects/default/app/Http/Middleware/Security/XFrameOptionMiddleware.php

@@ -20,7 +20,8 @@
     "laravel/framework": "^10.2",
     "laravel/sanctum": "^3.2.1",
     "laravel/tinker": "^2.8.1",
-    "timacdonald/json-api": "v1.0.0-beta.4"
+    "timacdonald/json-api": "v1.0.0-beta.4",
+    "treblle/security-headers": "^0.0.3"
   },
   "require-dev": {
     "fakerphp/faker": "^1.21.0",