Merge pull request #10 from brokenhandsio/vapor3

Vapor 3

Author: 0xTim

.travis.yml

@@ -5,7 +5,7 @@ language: generic
 sudo: required
 dist: trusty
 
-osx_image: xcode9.1
+osx_image: xcode9.3
 before_install:
     - if [ $TRAVIS_OS_NAME == "osx" ]; then
             brew update;
@@ -24,7 +24,7 @@ script:
     - swift test
 
 after_success:
-    - eval "$(curl -sL https://raw.githubusercontent.com/vapor-community/swift/master/codecov)"
+    - eval "$(curl -sL https://raw.githubusercontent.com/vapor-community/swift/swift-4-codecov/codecov-swift4)"
 
 notifications:
   email:

Package.swift

@@ -1,8 +1,17 @@
+// swift-tools-version:4.0
+
 import PackageDescription
 
 let package = Package(
     name: "VaporSecurityHeaders",
+    products: [
+        .library(name: "VaporSecurityHeaders", targets: ["VaporSecurityHeaders"]),
+    ],
     dependencies: [
-    	.Package(url: "https://github.com/vapor/vapor.git", majorVersion: 2),
+    	.package(url: "https://github.com/vapor/vapor.git", from: "3.0.0"),
+    ],
+    targets: [
+        .target(name: "VaporSecurityHeaders", dependencies: ["Vapor"]),
+        .testTarget(name: "VaporSecurityHeadersTests", dependencies: ["VaporSecurityHeaders"]),
     ]
 )

[email protected]

@@ -3,7 +3,7 @@
     <br>
     <br>
     <a href="https://swift.org">
-        <img src="http://img.shields.io/badge/Swift-4-brightgreen.svg" alt="Language">
+        <img src="http://img.shields.io/badge/Swift-4.1-brightgreen.svg" alt="Language">
     </a>
     <a href="https://travis-ci.org/brokenhandsio/VaporSecurityHeaders">
         <img src="https://travis-ci.org/brokenhandsio/VaporSecurityHeaders.svg?branch=master" alt="Build Status">
@@ -35,29 +35,21 @@ These headers will *help* prevent cross-site scripting attacks, SSL downgrade at
 
 # Usage
 
-To use Vapor Security Headers, just add the middleware to your `Config` and then to your `droplet.json`. Vapor Security Headers makes this easy to do with a `builder` function on the factory:
+To use Vapor Security Headers, just register the middleware with your services and add it to your `MiddlewareConfig`. Vapor Security Headers makes this easy to do with a `build` function on the factory. In `configure.swift` add:
 
 ```swift
-let config = Config()
 let securityHeadersFactory = SecurityHeadersFactory()
-config.addConfigurable(middleware: securityHeadersFactory.builder(), name: "security-headers"))
-let drop = Droplet(config)
+services.register(securityHeadersFactory.build())
+
+var middlewareConfig = MiddlewareConfig()
+// ...
+middlewareConfig.use(SecurityHeaders.self)
+services.register(middlewareConfig)
 ```
 
 The default factory will add default values to your site for Content-Security-Policy, X-XSS-Protection, X-Frame-Options and X-Content-Type-Options.
 
-***Note:*** You should ensure you set the security headers as the first middleware in your `droplet.json` to make sure the headers get added to all responses:
-
-```json
-{
-    ...
-    "middleware": [
-        "security-headers",
-        ...
-    ],
-    ...
-}
-```
+***Note:*** You should ensure you set the security headers as the last middleware in your `MiddlewareConfig` (i.e., the first middleware to be applied to responses) to make sure the headers get added to all responses.
 
 If you want to add your own values, it is easy to do using the factory. For instance, to add a content security policy configuration, just do:
 
@@ -72,7 +64,7 @@ You will need to add it as a dependency in your `Package.swift` file:
 ```swift
 dependencies: [
     ...,
-    .package(url: "https://github.com/brokenhandsio/VaporSecurityHeaders.git", from: "1.1.0")
+    .package(url: "https://github.com/brokenhandsio/VaporSecurityHeaders.git", from: "2.0.0")
 ]
 ```
 
@@ -140,14 +132,22 @@ Check out [https://report-uri.io/](https://report-uri.io/) for a free tool to se
 
 ### Page Specific CSP
 
-Vapor Security Headers also supports setting the CSP on a route or request basis. If the middleware has been added to the Droplet, you can override the CSP for a request. This allows you to have a strict default CSP, but allow content from extra sources when required, such as only allowing the Javascript for blog comments on the blog page. Create a separate `ContentSecurityPolicyConfiguration` and then add it to the request. For example, inside a route handler, you could do:
+Vapor Security Headers also supports setting the CSP on a route or request basis. If the middleware has been added to the `MiddlewareConfig`, you can override the CSP for a request. This allows you to have a strict default CSP, but allow content from extra sources when required, such as only allowing the Javascript for blog comments on the blog page. Create a separate `ContentSecurityPolicyConfiguration` and then add it to the request. For example, inside a route handler, you could do:
 
 ```swift
 let pageSpecificCSPVaue = "default-src 'none'; script-src https://comments.disqus.com;"
 let pageSpecificCSP = ContentSecurityPolicyConfiguration(value: pageSpecificCSPValue)
 request.contentSecurityPolicy = pageSpecificCSP
 ```
 
+You must also enable the `CSPRequestConfiguration` service for this to work. In `configure.swift` add:
+
+```swift
+services.register { _ in
+    return CSPRequestConfiguration()
+}
+```
+
 ## Content-Security-Policy-Report-Only
 
 Content-Security-Policy-Report-Only works in exactly the same way as Content-Security-Policy except that any violations will not block content, but they will be reported back to you. This is extremely useful for testing a CSP before rolling it out over your site. You can run both side by side - so for example have a fairly simply policy under Content-Security-Policy but test a more restrictive policy over Content-Security-Policy-Report-Only. The great thing about this is that your users do all your testing for you!
@@ -175,7 +175,7 @@ To just enable the protection:
 let xssProtectionConfig = XssProtectionConfiguration(option: .enable)
 ```
 
-To sanitize the page and report the violation:
+To sanitise the page and report the violation:
 
 ```swift
 let xssProtectionConfig = XssProtectionConfiguration(option: .report("https://report-uri.com"))

README.md

@@ -1,4 +1,4 @@
-import HTTP
+import Vapor
 
 public struct ContentSecurityPolicyConfiguration: SecurityHeaderConfiguration {
 
@@ -9,22 +9,32 @@ public struct ContentSecurityPolicyConfiguration: SecurityHeaderConfiguration {
     }
 
     func setHeader(on response: Response, from request: Request) {
-        if let requestCsp = request.contentSecurityPolicy {
-            response.headers[HeaderKey.contentSecurityPolicy] = requestCsp.value
+        if let requestCSP = request.contentSecurityPolicy {
+            response.http.headers.replaceOrAdd(name: .contentSecurityPolicy, value: requestCSP.value)
         } else {
-            response.headers[HeaderKey.contentSecurityPolicy] = value
+            response.http.headers.replaceOrAdd(name: .contentSecurityPolicy, value: value)
         }
     }
 }
 
-extension Request {
+public class CSPRequestConfiguration: Service {
+    var configuration: ContentSecurityPolicyConfiguration?
+    public init() {}
+}
 
+extension Request {
     public var contentSecurityPolicy: ContentSecurityPolicyConfiguration? {
         get {
-            return storage["cspConfig"] as? ContentSecurityPolicyConfiguration
+            if let requestConfig = try? privateContainer.make(CSPRequestConfiguration.self) {
+                return requestConfig.configuration
+            } else {
+                return nil
+            }
         }
         set {
-            storage["cspConfig"] = newValue
+            if let requestConfig = try? privateContainer.make(CSPRequestConfiguration.self) {
+                requestConfig.configuration = newValue
+            }
         }
     }
 }

Sources/VaporSecurityHeaders/Configurations/ContentSecurityPolicyConfiguration.swift

@@ -1,4 +1,4 @@
-import HTTP
+import Vapor
 
 public struct ContentSecurityPolicyReportOnlyConfiguration: SecurityHeaderConfiguration {
 
@@ -9,6 +9,6 @@ public struct ContentSecurityPolicyReportOnlyConfiguration: SecurityHeaderConfig
     }
 
     func setHeader(on response: Response, from request: Request) {
-        response.headers[HeaderKey.contentSecurityPolicyReportOnly] = value
+        response.http.headers.replaceOrAdd(name: .contentSecurityPolicyReportOnly, value: value)
     }
 }

Sources/VaporSecurityHeaders/Configurations/ContentSecurityPolicyReportOnlyConfiguration.swift

@@ -1,4 +1,4 @@
-import HTTP
+import Vapor
 
 public struct ContentTypeOptionsConfiguration: SecurityHeaderConfiguration {
 
@@ -16,7 +16,7 @@ public struct ContentTypeOptionsConfiguration: SecurityHeaderConfiguration {
     func setHeader(on response: Response, from request: Request) {
         switch option {
         case .nosniff:
-            response.headers[HeaderKey.xContentTypeOptions] = "nosniff"
+            response.http.headers.replaceOrAdd(name: .xContentTypeOptions, value: "nosniff")
         default:
             break
         }

Sources/VaporSecurityHeaders/Configurations/ContentTypeOptionsConfiguration.swift

@@ -1,4 +1,5 @@
 import HTTP
+import Vapor
 
 public struct FrameOptionsConfiguration: SecurityHeaderConfiguration {
 
@@ -17,11 +18,11 @@ public struct FrameOptionsConfiguration: SecurityHeaderConfiguration {
     func setHeader(on response: Response, from request: Request) {
         switch option {
         case .deny:
-            response.headers[HeaderKey.xFrameOptions] = "DENY"
+            response.http.headers.replaceOrAdd(name: .xFrameOptions, value: "DENY")
         case .sameOrigin:
-            response.headers[HeaderKey.xFrameOptions] = "SAMEORIGIN"
+            response.http.headers.replaceOrAdd(name: .xFrameOptions, value: "SAMEORIGIN")
         case .allow(let from):
-            response.headers[HeaderKey.xFrameOptions] = "ALLOW-FROM \(from)"
+            response.http.headers.replaceOrAdd(name: .xFrameOptions, value: "ALLOW-FROM \(from)")
         }
     }
 }

Sources/VaporSecurityHeaders/Configurations/FrameOptionsConfiguration.swift

@@ -1,4 +1,4 @@
-import HTTP
+import Vapor
 
 public struct ReferrerPolicyConfiguration: SecurityHeaderConfiguration {
 
@@ -21,6 +21,6 @@ public struct ReferrerPolicyConfiguration: SecurityHeaderConfiguration {
     }
 
     func setHeader(on response: Response, from request: Request) {
-        response.headers[HeaderKey.referrerPolicy] = option.rawValue
+        response.http.headers.replaceOrAdd(name: .referrerPolicy, value: option.rawValue)
     }
 }

Sources/VaporSecurityHeaders/Configurations/ReferrerPolicyConfiguration.swift

@@ -1,4 +1,5 @@
 import HTTP
+import Vapor
 
 public struct ServerConfiguration: SecurityHeaderConfiguration {
     private let value: String
@@ -8,6 +9,6 @@ public struct ServerConfiguration: SecurityHeaderConfiguration {
     }
 
     func setHeader(on response: Response, from request: Request) {
-        response.headers[HeaderKey.server] = value
+        response.http.headers.replaceOrAdd(name: .server, value: value)
     }
 }