Add security headers to the default response

composer.json

@@ -128,7 +128,9 @@
                         "messages": {
                             "Symfony\\Component\\HttpKernel\\Exception\\BadRequestHttpException": true
                         }
-
+                    },
+                    "service": {
+                        "view_handler": "my.secure_view_handler"
                     }
                 }
             }

config/services.yml

@@ -4,3 +4,11 @@ services:
         public: true
         autowire: true
         tags: ['controller.service_arguments']
+
+    my.secure_handler:
+      class: \PhpList\RestBundle\ViewHandler\SecuredViewHandler
+
+    my.secure_view_handler:
+      parent: fos_rest.view_handler.default
+      calls:
+        - ['registerHandler', [ 'json', ['@my.secure_handler', 'createResponse'] ] ]

src/ViewHandler/SecuredViewHandler.php

@@ -0,0 +1,38 @@
+<?php
+declare(strict_types=1);
+
+namespace PhpList\RestBundle\ViewHandler;
+
+use FOS\RestBundle\View\View;
+use FOS\RestBundle\View\ViewHandler;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * This class is used to add headers to the default response.
+ *
+ * @author Xheni Myrtaj <xheni@phplist.com>
+ */
+class SecuredViewHandler
+{
+    /**
+     * @param ViewHandler $viewHandler
+     * @param View $view
+     * @param Request $request
+     * @param string $format
+     *
+     * @return Response
+     */
+    public function createResponse(ViewHandler $handler, View $view, Request $request, string $format): Response
+    {
+        $view->setHeaders(
+            [
+                'X-Content-Type-Options' => 'nosniff',
+                'Content-Security-Policy' => "default-src 'none'",
+                'X-Frame-Options' => 'DENY',
+            ]
+        );
+
+        return $handler->createResponse($view, $request, $format);
+    }
+}

tests/System/Controller/SecuredViewHandlerTest.php

@@ -0,0 +1,69 @@
+<?php
+declare(strict_types=1);
+
+namespace PhpList\RestBundle\Tests\System\Controller;
+
+use GuzzleHttp\Client;
+use PhpList\Core\TestingSupport\Traits\SymfonyServerTrait;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * Test for security headers
+ *
+ * @author Xheni Myrtaj <xheni@phplist.com>
+ */
+class SecuredViewHandlerTest extends TestCase
+{
+    use SymfonyServerTrait;
+
+    /**
+     * @var Client
+     */
+    private $httpClient = null;
+
+    protected function setUp()
+    {
+        $this->httpClient = new Client(['http_errors' => false]);
+    }
+
+    protected function tearDown()
+    {
+        $this->stopSymfonyServer();
+    }
+
+    /**
+     * @return string[][]
+     */
+    public function environmentDataProvider(): array
+    {
+        return [
+            'test' => ['test'],
+            'dev' => ['dev'],
+        ];
+    }
+
+    /**
+     * @test
+     * @param string $environment
+     * @dataProvider environmentDataProvider
+     */
+    public function testSecurityHeaders(string $environment)
+    {
+        $this->startSymfonyServer($environment);
+
+        $response = $this->httpClient->get(
+            '/api/v2/sessions',
+            ['base_uri' => $this->getBaseUrl()]
+        );
+        $expectedHeaders = [
+            'X-Content-Type-Options' => 'nosniff',
+            'Content-Security-Policy' => "default-src 'none'",
+            'X-Frame-Options' => 'DENY',
+        ];
+
+        foreach ($expectedHeaders as $key => $value) {
+            static::assertSame([$value], $response->getHeader($key));
+        }
+    }
+}