wilr/SecureControllerExtension.php

## SecureControllerExtension.php
<?php

use SilverStripe\Control\Director;
use SilverStripe\Control\HTTP;
use SilverStripe\Security\Member;
use SilverStripe\Core\Extension;

/**
 * Implements Content-Security-Policy and other security headers on the
 * controllers.
 *
 * http://en.wikipedia.org/wiki/Content_Security_Policy
 * http://www.html5rocks.com/en/tutorials/security/content-security-policy/
 * http://bens.me.uk/2012/content-security-policy
 */

class SecureControllerExtension extends Extension
{
    private $cacheOptions = null;

    public function onAfterInit()
    {
        $this->setExtraHeaders();
        $this->addCacheHeaders();
    }

    public function setExtraHeaders()
    {
        $response = $this->owner->getResponse();

        if ($response && $this->owner->supportsCSP()) {
            $sites = 'https://www.website.com';

            $base = rtrim(Director::absoluteBaseURL(), '/');
            if (strpos($sites, $base) === false) {
                $sites .= ' '. $base;
            }

            $baseWithSlash = rtrim(Director::absoluteBaseURL(), '/') . '/';
            if (strpos($sites, $baseWithSlash) === false) {
                $sites .= ' '. $baseWithSlash;
            }

            $csp = "default-src $sites;";
            $csp .= " base-uri $sites;";
            $csp .= " frame-ancestors $sites;";
            $csp .= " style-src 'unsafe-inline' $sites https://*.gstatic.com https://api.addressfinder.io https://tagmanager.google.com https://optimize.google.com;";
            $csp .= " script-src 'unsafe-inline' $sites https://*.gstatic.com https://api.addressfinder.io https://www.googletagmanager.com https://fonts.googleapis.com https://*.google-analytics.com http://*.google-analytics.com http://tagmanager.google.com https://optimize.google.com http://*.hotjar.com https://*.hotjar.com https://code.jquery.com 'unsafe-eval';";
            $csp .= " img-src $sites 'self' data: https://*.google-analytics.com http://*.google-analytics.com https://*.swagger.io https://optimize.google.com https://*.hotjar.com;";
            $csp .= " font-src $sites https://fonts.gstatic.com http://*.hotjar.com https://*.hotjar.com;";
            $csp .= " object-src $sites 'self';";
            $csp .= " frame-src $sites 'self' data: https://*.youtube-nocookie.com https://*.youtube.com https://optimize.google.com https://www.googletagmanager.com/ns.html https://*.hotjar.com;";
            $csp .= " child-src $sites https://*.youtube-nocookie.com https://*.youtube.com  https://optimize.google.com https://www.googletagmanager.com/ns.html https://*.hotjar.com;";
            $csp .= " connect-src $sites https://api.addressfinder.io https://www.google-analytics.com/ http://*.hotjar.com:* https://*.hotjar.com:* ws://*.hotjar.com wss://*.hotjar.com;";
            $csp .= " form-action $sites 'self';";

            $this->owner->invokeWithExtensions('updateExtraHeaders', $csp);

            $response->addHeader('Content-Security-Policy', $csp);
        }

        if ($response) {
            $headersToSet = [
                'X-Frame-Options' => 'SAMEORIGIN',
                'X-XSS-Protection' => '1; mode=block',
                'X-UA-Compatible' => 'IE=edge',
                'X-Content-Type-Options' => 'nosniff',
                'Content-Type' => 'text/html; charset=utf-8',
                'Content-language' => 'en-NZ',
            ];

            if (!Director::isDev()) {
                $headersToSet['Strict-Transport-Security'] = 'max-age=15768000; includeSubDomains';
            }

            foreach ($headersToSet as $header => $value) {
                $response->addHeader($header, $value);
            }
        }
    }

    public function supportsCSP()
    {
        $agent = strtolower($_SERVER['HTTP_USER_AGENT']);

        if (strpos($agent, 'safari') !== false) {
            $split = explode('version/', $agent);

            if (isset($split[1])) {
                $version = trim($split[1]);
                $versions = explode('.', $version);

                if (isset($versions[0]) && $versions[0] <= 5) {
                    return false;
                }
            }
        }

        return true;
    }

     /**
      * Causes the response to the current request to be cached. This takes
      * advantage of tier 1 caching as defined by CWP. Only use this function
      * if you really understand the implications. $options is a map of
      * simplified caching options, as follows:
      *      "max-age"              If non-zero, cache headers are set to more
      * aggressive Incapsula caching, with a max age of this many seconds. If
      * zero, cache headers are set to be completely dynamic, disabling all
      * caching.
      * vary-on-cookies"       If true, "cookie" is added to the vary header
      * (along with x-Forwarded-Protocol) If false, omits "cookie" from vary
      * header. Default is false.
      * "modified" If provided, this is a timestamp that identifies when the
      * page was last modified. If not provided, it defaults to the value
      * returned by $page->getModificationTimestamp().
      */
    public function cacheRequest($options)
    {
        $defaultOptions = array(
            'max-age' => 60,
            'vary-on-cookies' => false
        );

        $this->cacheOptions = array_merge($defaultOptions, $options);
    }

    /**
     * Add cache headers from the options in $this->cacheOptions ok, we want
     * to cache this response in infrastructure. Override the framework's
     * headers. This relies on current framework implementation, which will
     * set header for us, which we are going to overwrite.
     */
    protected function addCacheHeaders()
    {
        $response = $this->owner->getResponse();

        // Determine max age
        if (isset($this->cacheOptions['max-age'])) {
            $maxAge = intval($this->cacheOptions['max-age']);
        } else {
            $maxAge = 0;
        }
        if ($maxAge > 3600) {
            // cap it at 1 hour to be safe, as CMS users can change some TTLs.
            $maxAge = 3600;
        }

        // Determine vary on cookies
        $varyOnCookies = false;
        if (isset($this->cacheOptions['vary-on-cookies'])) {
            $varyOnCookies = $this->cacheOptions['vary-on-cookies'];
        }

        // Get the modification timestamp if it's present.
        if (isset($this->cacheOptions['modified'])) {
            $modificationTimestamp = $this->cacheOptions['modified'];
        } else {
            if ($this->owner->hasMethod('getModificationTimestamp')) {
                $modificationTimestamp = $this->owner->getModificationTimestamp();
            } else {
                $modificationTimestamp = null;
            }
        }

        // Always add last modified
        if ($modificationTimestamp) {
            $response->addHeader('Last-Modified', HTTP::gmt_date($modificationTimestamp));
        }

        if ($maxAge > 0 && !Member::currentUserID()) {
            // Non-zero max age means we want the response cached. We only cache if the user is not logged in.
            $response->addHeader('Cache-Control', 'max-age=' . $maxAge . ', must-revalidate, no-transform, public');
            $response->addHeader('Pragma', '');
            $vary = 'X-Forwarded-Protocol';
            if ($varyOnCookies) {
                $vary = 'Cookie, ' . $vary;
            }
            $response->addHeader('Vary', $vary);
        } else {
            // no caching
            $response->addHeader('Cache-Control', 'public, max-age=0, must-revalidate, no-transform');
            $response->addHeader('Pragma', 'no-cache');
        }
    }
}
	<?php

	use SilverStripe\Control\Director;
	use SilverStripe\Control\HTTP;
	use SilverStripe\Security\Member;
	use SilverStripe\Core\Extension;

	/**
	* Implements Content-Security-Policy and other security headers on the
	* controllers.
	*
	* http://en.wikipedia.org/wiki/Content_Security_Policy
	* http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	* http://bens.me.uk/2012/content-security-policy
	*/

	class SecureControllerExtension extends Extension
	{
	private $cacheOptions = null;

	public function onAfterInit()
	{
	$this->setExtraHeaders();
	$this->addCacheHeaders();
	}

	public function setExtraHeaders()
	{
	$response = $this->owner->getResponse();

	if ($response && $this->owner->supportsCSP()) {
	$sites = 'https://www.website.com';

	$base = rtrim(Director::absoluteBaseURL(), '/');
	if (strpos($sites, $base) === false) {
	$sites .= ' '. $base;
	}

	$baseWithSlash = rtrim(Director::absoluteBaseURL(), '/') . '/';
	if (strpos($sites, $baseWithSlash) === false) {
	$sites .= ' '. $baseWithSlash;
	}

	$csp = "default-src $sites;";
	$csp .= " base-uri $sites;";
	$csp .= " frame-ancestors $sites;";
	$csp .= " style-src 'unsafe-inline' $sites https://*.gstatic.com https://api.addressfinder.io https://tagmanager.google.com https://optimize.google.com;";
	$csp .= " script-src 'unsafe-inline' $sites https://.gstatic.com https://api.addressfinder.io https://www.googletagmanager.com https://fonts.googleapis.com https://.google-analytics.com http://.google-analytics.com http://tagmanager.google.com https://optimize.google.com http://.hotjar.com https://*.hotjar.com https://code.jquery.com 'unsafe-eval';";
	$csp .= " img-src $sites 'self' data: https://.google-analytics.com http://.google-analytics.com https://.swagger.io https://optimize.google.com https://.hotjar.com;";
	$csp .= " font-src $sites https://fonts.gstatic.com http://.hotjar.com https://.hotjar.com;";
	$csp .= " object-src $sites 'self';";
	$csp .= " frame-src $sites 'self' data: https://.youtube-nocookie.com https://.youtube.com https://optimize.google.com https://www.googletagmanager.com/ns.html https://*.hotjar.com;";
	$csp .= " child-src $sites https://.youtube-nocookie.com https://.youtube.com https://optimize.google.com https://www.googletagmanager.com/ns.html https://*.hotjar.com;";
	$csp .= " connect-src $sites https://api.addressfinder.io https://www.google-analytics.com/ http://.hotjar.com: https://.hotjar.com: ws://.hotjar.com wss://.hotjar.com;";
	$csp .= " form-action $sites 'self';";

	$this->owner->invokeWithExtensions('updateExtraHeaders', $csp);

	$response->addHeader('Content-Security-Policy', $csp);
	}

	if ($response) {
	$headersToSet = [
	'X-Frame-Options' => 'SAMEORIGIN',
	'X-XSS-Protection' => '1; mode=block',
	'X-UA-Compatible' => 'IE=edge',
	'X-Content-Type-Options' => 'nosniff',
	'Content-Type' => 'text/html; charset=utf-8',
	'Content-language' => 'en-NZ',
	];

	if (!Director::isDev()) {
	$headersToSet['Strict-Transport-Security'] = 'max-age=15768000; includeSubDomains';
	}

	foreach ($headersToSet as $header => $value) {
	$response->addHeader($header, $value);
	}
	}
	}

	public function supportsCSP()
	{
	$agent = strtolower($_SERVER['HTTP_USER_AGENT']);

	if (strpos($agent, 'safari') !== false) {
	$split = explode('version/', $agent);

	if (isset($split[1])) {
	$version = trim($split[1]);
	$versions = explode('.', $version);

	if (isset($versions[0]) && $versions[0] <= 5) {
	return false;
	}
	}
	}

	return true;
	}

	/**
	* Causes the response to the current request to be cached. This takes
	* advantage of tier 1 caching as defined by CWP. Only use this function
	* if you really understand the implications. $options is a map of
	* simplified caching options, as follows:
	* "max-age" If non-zero, cache headers are set to more
	* aggressive Incapsula caching, with a max age of this many seconds. If
	* zero, cache headers are set to be completely dynamic, disabling all
	* caching.
	* vary-on-cookies" If true, "cookie" is added to the vary header
	* (along with x-Forwarded-Protocol) If false, omits "cookie" from vary
	* header. Default is false.
	* "modified" If provided, this is a timestamp that identifies when the
	* page was last modified. If not provided, it defaults to the value
	* returned by $page->getModificationTimestamp().
	*/
	public function cacheRequest($options)
	{
	$defaultOptions = array(
	'max-age' => 60,
	'vary-on-cookies' => false
	);

	$this->cacheOptions = array_merge($defaultOptions, $options);
	}

	/**
	* Add cache headers from the options in $this->cacheOptions ok, we want
	* to cache this response in infrastructure. Override the framework's
	* headers. This relies on current framework implementation, which will
	* set header for us, which we are going to overwrite.
	*/
	protected function addCacheHeaders()
	{
	$response = $this->owner->getResponse();

	// Determine max age
	if (isset($this->cacheOptions['max-age'])) {
	$maxAge = intval($this->cacheOptions['max-age']);
	} else {
	$maxAge = 0;
	}
	if ($maxAge > 3600) {
	// cap it at 1 hour to be safe, as CMS users can change some TTLs.
	$maxAge = 3600;
	}

	// Determine vary on cookies
	$varyOnCookies = false;
	if (isset($this->cacheOptions['vary-on-cookies'])) {
	$varyOnCookies = $this->cacheOptions['vary-on-cookies'];
	}

	// Get the modification timestamp if it's present.
	if (isset($this->cacheOptions['modified'])) {
	$modificationTimestamp = $this->cacheOptions['modified'];
	} else {
	if ($this->owner->hasMethod('getModificationTimestamp')) {
	$modificationTimestamp = $this->owner->getModificationTimestamp();
	} else {
	$modificationTimestamp = null;
	}
	}

	// Always add last modified
	if ($modificationTimestamp) {
	$response->addHeader('Last-Modified', HTTP::gmt_date($modificationTimestamp));
	}

	if ($maxAge > 0 && !Member::currentUserID()) {
	// Non-zero max age means we want the response cached. We only cache if the user is not logged in.
	$response->addHeader('Cache-Control', 'max-age=' . $maxAge . ', must-revalidate, no-transform, public');
	$response->addHeader('Pragma', '');
	$vary = 'X-Forwarded-Protocol';
	if ($varyOnCookies) {
	$vary = 'Cookie, ' . $vary;
	}
	$response->addHeader('Vary', $vary);
	} else {
	// no caching
	$response->addHeader('Cache-Control', 'public, max-age=0, must-revalidate, no-transform');
	$response->addHeader('Pragma', 'no-cache');
	}
	}
	}