Merge pull request #187 from gsteel/x-frame-options

Add X-Frame-Options: SAMEORIGIN to all response payloads.
gsteel · Apr 22, 2024 · 98dcb45 · 98dcb45
2 parents 8458a4a + 6d079a4
commit 98dcb45
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 0 deletions.
diff --git a/config/pipeline.php b/config/pipeline.php
@@ -2,6 +2,7 @@
 
 declare(strict_types=1);
 
+use App\Middleware\XFrameOptionsMiddleware;
 use Laminas\Stratigility\Middleware\ErrorHandler;
 use Mezzio\Application;
 use Mezzio\Handler\NotFoundHandler;
@@ -24,6 +25,7 @@
     $app->pipe(ImplicitOptionsMiddleware::class);
     $app->pipe(MethodNotAllowedMiddleware::class);
     $app->pipe(UrlHelperMiddleware::class);
+    $app->pipe(XFrameOptionsMiddleware::class);
     $app->pipe(DispatchMiddleware::class);
     $app->pipe(NotFoundHandler::class);
 };
diff --git a/src/App/ConfigProvider.php b/src/App/ConfigProvider.php
@@ -48,6 +48,7 @@ private function dependencies(): array
                 Log\ErrorHandlerLoggingListener::class => Log\Container\ErrorHandlerLoggingListenerFactory::class,
                 Middleware\CalculationMiddleware::class => Middleware\Container\CalculationMiddlewareFactory::class,
                 Middleware\TemplateRenderer::class => Middleware\Container\TemplateRendererFactory::class,
+                Middleware\XFrameOptionsMiddleware::class => Laminas\ServiceManager\Factory\InvokableFactory::class,
                 Money\Currency::class => static fn (): Money\Currency => new Money\Currency('GBP'),
                 Psr\Http\Client\ClientInterface::class => Container\HttpClientFactory::class,
 

diff --git a/src/App/Middleware/XFrameOptionsMiddleware.php b/src/App/Middleware/XFrameOptionsMiddleware.php
@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+final readonly class XFrameOptionsMiddleware implements MiddlewareInterface
+{
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        return $handler->handle($request)->withHeader('X-Frame-Options', 'SAMEORIGIN');
+    }
+}
diff --git a/test/Unit/Middleware/XFrameOptionsMiddlewareTest.php b/test/Unit/Middleware/XFrameOptionsMiddlewareTest.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace AppTest\Unit\Middleware;
+
+use App\Middleware\XFrameOptionsMiddleware;
+use AppTest\Unit\Framework\TestCase;
+use AppTest\Unit\Framework\TestHandler;
+use Laminas\Diactoros\Response\HtmlResponse;
+
+class XFrameOptionsMiddlewareTest extends TestCase
+{
+    private XFrameOptionsMiddleware $middleware;
+    private TestHandler $handler;
+
+    protected function setUp(): void
+    {
+        $this->middleware = new XFrameOptionsMiddleware();
+        $this->handler = new TestHandler(new HtmlResponse('Foo'));
+    }
+
+    public function testThatTheResponseWillHaveTheXFrameOptionsHeaderAppended(): void
+    {
+        $response = $this->middleware->process($this->serverRequest('/'), $this->handler);
+
+        self::assertTrue($this->handler->didHandle());
+        self::assertMessageHasHeader($response, 'X-Frame-Options', 'SAMEORIGIN');
+    }
+}