The Framework provides support for a variety of ways of enhancing the security of your website. The basic setup does not make use of all of these as it does not need them, however it does provide classes and other features that you can make use of when developing applications that require them.
Content Security Policy
The Framework supports the W3C Content Security Policy header and code for it
is inlcuded in the default installation. The installation procedure asks if you want it enabled and if you want violation reporting enabled.
Even if you do not select these options, you can enable them via the admin/config page of your site. The relevant
options are 'usecsp' and 'reportcsp', and a value of 1 indicates that the option is enabled, 0 that it is disabled.
if 'usecsp' is enabled, a Content-Security-Policy header will be generated for every page. This controls what URLs can be used
safely on the page to load resources. The default header for most pages in the framework looks like this:
Content-Security-Policy: default-src 'self'; font-src 'self' data: use.fontawesome.com; img-src 'self' data:; script-src 'self' stackpath.bootstrapcdn.com
cdnjs.cloudflare.com code.jquery.com; style-src 'self' use.fontawesome.com stackpath.bootstrapcdn.com;
As you can see it allows access to local resources ('self'), fontawesome, bootstrap, jquery, and resources from the cloudflare javascript CDN.
As it stands this configuration does not allow any inline CSS or JavaScript. JavaScript
that is included using the twig blocks setup and onload gets hashcoded by the Framework and
a hash value for the script is added to the CSP header when the page is rendered, thus allowing it to be included.
No other code will work.
Naturally, you may want to use images, JavaScript or CSS from other sources, so the Framework provides a function that you can invoke from either PHP or inside a twig that allows you to add fields to the CSP header:
$context->web()->addCSP('img-src', 'imgs.xys.com')
or in a twig
{% do context.web.addCSP('img-src', 'imgs.xys.com') %}
If you want to remove an item from the CSP then use
$context->web()->removeCSP('img-src', 'data:')
{% do context.web.removeCSP('img-src', 'data:') %}
If there is an item that you need to add to every page — for example fonts.gstatic.com — then you should edit class/config/config.php
and add the item to the relevant entry or entries in the public static variable $defaultCSP rather than including specifically in each twig.
Captchas
The form macros include one that will generate a button that will make use
of the Google invisible Recaptcha system.
To deploy this you will have to register your site's URL with Google and get the two keys necessary to make the system work.
The twig macro would be invoked like this (assuming have imported the macro file named as f) :
{{f.recaptcha('YOUR GOOGLE KEY', 'Label', 'callback', opts)}}
where Label is the text you want to appear on the button, callback is the name of a javascript function
that will submit the form once the captcha process is complete, and opts is an object with options.
Currently the only options supported are id, which sets the id attribute on the button, and style
which is a class name (or names) that is (are) include in the class attribute. If this is empty it defaults to
btn-primary.
The button always has the Bootstrap class btn.
When a user submits a form you can call the PHP function
$context->web()->recaptcha('YOUR SECRET KEY')
which returns TRUE or FALSE depending on whether or not the captcha
was completed successfully.
Cross-site Resource Forgery (CSRF)
The Framework provides a class, CSRFGuard, that offers functions to generate and validate tokens to be included when generating a POST form that changes data. This is work in progress - there needs to be support for easily including the necessary fields in a form.