feat: Added Add Security Headers rule

Author: Lucisu

.gitignore

@@ -1,3 +1,4 @@
+.env
 vendor/
 .idea/
 .phpunit.result.cache

src/RuleContent.php

@@ -4,7 +4,6 @@
 
 class RuleContent {
 
-
     public array $content;
     public array $templateVars;
 

src/SecureCommand.php

@@ -6,6 +6,7 @@
 use WP_CLI\Process;
 use WP_CLI\Utils;
 use WP_CLI_Command;
+use WP_CLI_Secure\SubCommands\AddSecurityHeaders;
 use WP_CLI_Secure\SubCommands\BlockAccessToHtaccess;
 use WP_CLI_Secure\SubCommands\BlockAccessToSensitiveDirectories;
 use WP_CLI_Secure\SubCommands\BlockAccessToSensitiveFiles;
@@ -283,6 +284,40 @@ public function block_access_to_sensitive_directories($args, $assoc_args) : void
         (new BlockAccessToSensitiveDirectories($assoc_args))->output();
     }
 
+    /**
+     *  Set Security Headers.
+     *
+     *  Set Security Headers.
+     *
+     * ## OPTIONS
+     *
+     * [--remove]
+     * : Removes the rule from .htaccess or nginx.conf.
+     *
+     * [--headers]
+     * : Custom comma separated header list to add.
+     *
+     * [--output]
+     * : Use this option to display the actual code that you can manually copy and paste into some other file
+     *
+     * [--headers=<headers>]
+     * : List of headers you want to be added.
+     *
+     * [--server=<server>]
+     * : Set a server type. Possible options are "apache" and "nginx". Default is "apache" and all rules are stored in
+     * .htaccess file
+     *
+     * ## EXAMPLES
+     *
+     *     $ wp secure add_security_headers
+     *     Success: Add Security Headers rule has been deployed.
+     *
+     * @when before_wp_load
+     */
+    public function add_security_headers($args, $assoc_args) : void {
+        (new AddSecurityHeaders($assoc_args))->output();
+    }
+
     /**
      *  Blocks direct access to .htaccess
      *

src/SubCommands/AddSecurityHeaders.php

@@ -0,0 +1,50 @@
+<?php
+
+namespace WP_CLI_Secure\SubCommands;
+
+class AddSecurityHeaders extends SubCommand {
+    public string $ruleTemplate = 'add_security_headers';
+    public string $ruleName = 'SECURITY HEADERS';
+    public string $successMessage = 'Add Security Headers rule has been deployed.';
+    public string $removalMessage= 'Add Security Headers rule has been removed.';
+
+    public function getTemplateVars() {
+
+        $default_headers = [
+            'Strict-Transport-Security' => '"max-age=63072000; includeSubDomains; preload"',
+            'Referrer-Policy' => 'strict-origin-when-cross-origin',
+            'X-Content-Type-Options' => 'nosniff',
+            'X-Frame-Options' => 'SAMEORIGIN',
+            'X-XSS-Protection' => '"1; mode=block"'
+        ];
+
+        $headers = isset( $this->commandArguments['headers'] ) ? $this->commandArguments['headers'] : array_keys( $default_headers );
+        if ( ! empty( $headers ) ) {
+            if ( is_string( $headers ) ) {
+                $headers = explode( ',', $headers );
+            }
+            $headers = array_map( 'trim', $headers );
+
+            foreach ( $headers as $h ) {
+                $header = '';
+                $value = '';
+                foreach ( $default_headers as $key => $v ) {
+                    if ( strtolower( $key ) === strtolower( $h ) ) {
+                        $header = $key;
+                        $value  = $v;
+                    }
+                }
+                if ( empty( $header ) ) {
+                    continue;
+                }
+                $headers_array[] =
+                    [
+                        'header' => $header,
+                        'value' => $value
+                    ];
+            }
+            return $headers_array;
+        }
+        return [];
+    }
+}

src/SubCommands/BlockAccessToSensitiveDirectories.php

@@ -13,7 +13,6 @@ public function getTemplateVars() {
         if ( ! empty( $directories ) ) {
             $directories = explode( ',', $directories );
             $directories = array_map( 'trim', $directories );
-            $directories_array = [];
 
             return [
                 [ 'directories' => implode( '|', array_map( 'preg_quote', $directories ) ) ]

src/Templates/apache/add_security_headers.tpl

@@ -0,0 +1 @@
+Header always set {{header}} {{value}}

src/Templates/nginx/add_security_headers.tpl

@@ -0,0 +1 @@
+add_header {{header}} {{value}} always;

tests/Feature/AddSecurityHeadersTest.php

@@ -0,0 +1,40 @@
+<?php
+
+namespace Tests\Feature;
+
+use Tests\BaseTestCase;
+use WP_CLI_Secure\SubCommands\AddSecurityHeaders;
+
+class AddSecurityHeadersTest extends BaseTestCase {
+    public function setUp(): void {
+        parent::setUp();
+
+        $command = new AddSecurityHeaders($this->nginxAssocArgs);
+        $command->output();
+
+        $command = new AddSecurityHeaders($this->apacheAssocArgs);
+        $command->output();
+
+        exec('cd ' . dirname(dirname(__DIR__)) . DIRECTORY_SEPARATOR . $_ENV['WORDPRESS_NGINX_PATH'] . '&& ddev exec nginx -s reload');
+    }
+
+    public function testItWillContainAllHeadersOnNginx() : void {
+        $response = $this->nginxHttpClient->get('', ['http_errors' => false]);
+
+        $this->assertNotEmpty($response->getHeaderLine( 'Strict-Transport-Security' ));
+        $this->assertNotEmpty($response->getHeaderLine( 'Referrer-Policy' ));
+        $this->assertNotEmpty($response->getHeaderLine( 'x-content-type-options' ));
+        $this->assertNotEmpty($response->getHeaderLine( 'X-Frame-Options' ));
+        $this->assertNotEmpty($response->getHeaderLine( 'X-XSS-Protection' ));
+    }
+
+    public function testItWillContainAllHeadersOnApache() : void {
+        $response = $this->apacheHttpClient->get('', ['http_errors' => false]);
+
+        $this->assertNotEmpty($response->getHeaderLine( 'Strict-Transport-Security' ));
+        $this->assertNotEmpty($response->getHeaderLine( 'Referrer-Policy' ));
+        $this->assertNotEmpty($response->getHeaderLine( 'x-content-type-options' ));
+        $this->assertNotEmpty($response->getHeaderLine( 'X-Frame-Options' ));
+        $this->assertNotEmpty($response->getHeaderLine( 'X-XSS-Protection' ));
+    }
+}