You are here

public function AddHTTPHeadersSettings::buildForm in HTTP Response Headers 8

Form constructor.

Parameters

array $form: An associative array containing the structure of the form.

\Drupal\Core\Form\FormStateInterface $form_state: The current state of the form.

Return value

array The form structure.

Overrides ConfigFormBase::buildForm

File

src/Form/AddHTTPHeadersSettings.php, line 37
Contains \Drupal\http_response_headers\Form\AddHTTPHeadersSettings.

Class

AddHTTPHeadersSettings
Configure site information settings for this site.

Namespace

Drupal\http_response_headers\Form

Code

public function buildForm(array $form, FormStateInterface $form_state) {
  $config = \Drupal::config('http_response_headers.settings');
  $security = $config
    ->get('security');
  $performance = $config
    ->get('performance');
  $form['config'] = [
    '#type' => 'vertical_tabs',
  ];
  $form['security'] = [
    '#type' => 'details',
    '#title' => t('Security'),
    '#group' => 'config',
  ];
  $form['security']['Content-Security-Policy'] = [
    '#type' => 'textarea',
    '#title' => $this
      ->t('Content-Security-Policy'),
    '#default_value' => !empty($security['Content-Security-Policy']) ? $security['Content-Security-Policy'] : '',
    '#description' => $this
      ->t("This HTTP header parameter allows you to define a whitelist of approved sources of content for your site. By restricting the assets that a browser can load for your site you will have extra level of protection from XSS attacks."),
    '#attributes' => [
      'placeholder' => "Example: default-src 'self';",
    ],
  ];
  $form['security']['Strict-Transport-Security'] = [
    '#type' => 'textfield',
    '#title' => $this
      ->t('Strict-Transport-Security'),
    '#default_value' => !empty($security['Strict-Transport-Security']) ? $security['Strict-Transport-Security'] : '',
    '#description' => $this
      ->t('This policy will enforce TLS on your site and all subdomains for a year.'),
    '#attributes' => [
      'placeholder' => 'Example: max-age=31536000; includeSubDomains',
    ],
  ];
  $form['security']['Public-Key-Pins'] = [
    '#type' => 'textfield',
    '#title' => $this
      ->t('Public-Key-Pins'),
    '#default_value' => !empty($security['Public-Key-Pins']) ? $security['Public-Key-Pins'] : '',
    '#description' => $this
      ->t('HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent Man in the Middle (MITM) attacks with forged certificates.'),
    '#attributes' => [
      'placeholder' => '',
    ],
  ];
  $form['security']['Access-Control-Allow-Origin'] = [
    '#type' => 'textfield',
    '#title' => $this
      ->t('Access-Control-Allow-Origin'),
    '#default_value' => !empty($security['Access-Control-Allow-Origin']) ? $security['Access-Control-Allow-Origin'] : '',
    '#description' => $this
      ->t("Access-Control-Allow-Origin is apart of the Cross Origin Resource Sharing (CORS) specification. This header is used to determine which sites are allowed to access the resource by defining either a single origin or all sites (denoted by a wildcard value)."),
    '#attributes' => [
      'placeholder' => 'Example: *',
    ],
  ];
  $form['security']['X-Xss-Protection'] = [
    '#type' => 'textfield',
    '#title' => $this
      ->t('X-Xss-Protection'),
    '#default_value' => !empty($security['X-Xss-Protection']) ? $security['X-Xss-Protection'] : '',
    '#description' => $this
      ->t("This response header can be used to configure a user-agent's built in reflective XSS protection. Currently, only Microsoft's Internet Explorer, Google Chrome and Safari (WebKit) support this header."),
    '#attributes' => [
      'placeholder' => 'Example: 1; mode=block',
    ],
  ];
  $form['security']['X-Frame-Options'] = [
    '#type' => 'textfield',
    '#title' => $this
      ->t('X-Frame-Options'),
    '#default_value' => !empty($security['X-Frame-Options']) ? $security['X-Frame-Options'] : '',
    '#description' => $this
      ->t("Clickjacking protection. Valid values include <em>DENY</em> meaning your site can't be framed, <em>SAMEORIGIN</em> which allows you to frame your own site or <em>ALLOW-FROM https://example.com/</em> which lets you specify sites that are permitted to frame your own site."),
    '#attributes' => [
      'placeholder' => 'Example: SAMEORIGIN',
    ],
  ];
  $form['security']['X-Content-Type-Options'] = [
    '#type' => 'textfield',
    '#title' => $this
      ->t('X-Content-Type-Options'),
    '#default_value' => !empty($security['X-Content-Type-Options']) ? $security['X-Content-Type-Options'] : '',
    '#description' => $this
      ->t('This header parameter prevents Google Chrome and Internet Explorer from trying to mime-sniff the content-type of a response away from the one being declared by the server.'),
    '#attributes' => [
      'placeholder' => 'Example: nosniff',
    ],
  ];
  $form['performance'] = [
    '#type' => 'details',
    '#title' => t('Performance'),
    '#group' => 'config',
  ];
  $form['performance']['Cache-Control'] = [
    '#type' => 'textfield',
    '#title' => $this
      ->t('Cache-Control'),
    '#default_value' => !empty($performance['Cache-Control']) ? $performance['Cache-Control'] : '',
    '#description' => $this
      ->t('<strong>Drupal already adds this. This is just an example and overriding this might hurt your website performance</strong>. The Cache-Control header is the most important header to set as it effectively ‘switches on’ caching in the browser. With this header in place, and set with a value that enables caching, the browser will cache the file for as long as specified. Without this header the browser will re-request the file on each subsequent request.'),
    '#attributes' => [
      'placeholder' => 'Example: max-age=900, public',
    ],
  ];
  $form['performance']['authenticated_only'] = [
    '#type' => 'checkbox',
    '#title' => $this
      ->t('Apply performance headers to authenticated users only. Disabled for all users if unchecked.'),
    '#default_value' => !empty($performance['authenticated_only']) ? $performance['authenticated_only'] : TRUE,
  ];
  $form['info'] = [
    '#markup' => 'Please read my blog post about each HTTP parameter. I would also recommend to read articles from the Useful links section in my blog post: <a href="https://www.chapterthree.com/blog/how-to-secure-drupal-http-headers" target="_blank">How to Secure Drupal HTTP Headers</a>',
  ];
  return parent::buildForm($form, $form_state);
}