From b9e04bfc4fac52ddd9d187da6cb12ef563b89c7d Mon Sep 17 00:00:00 2001
From: Alexandre Sadowski <asadowski@beapi.fr>
Date: Thu, 7 Nov 2024 12:39:54 +0100
Subject: [PATCH 1/2] add http-headers default

---
 default-http-headers.php | 133 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 133 insertions(+)
 create mode 100644 default-http-headers.php

diff --git a/default-http-headers.php b/default-http-headers.php
new file mode 100644
index 0000000..9655382
--- /dev/null
+++ b/default-http-headers.php
@@ -0,0 +1,133 @@
+<?php
+/*
+Plugin Name: BeAPI Default - HTTP Headers
+Version: 1.0.0
+Plugin URI: https://beapi.fr
+Description: Add custom http headers (CP, CSP, ....)
+Author: Be API
+Author URI: https://beapi.fr
+
+----
+
+Copyright 2024 Be API Technical team (humans@beapi.fr)
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+*/
+
+namespace BEAPI\Plugin_Defaults\Http_Header;
+
+if ( ! defined( 'ABSPATH' ) ) {
+	die( 'Cannot access pages directly.' );
+}
+
+/**
+ * Add custom behavior for headers
+ *
+ * @param array $headers
+ *
+ * @return array
+ *
+ * @author Alexandre Sadowski
+ *
+ */
+function wp_headers( array $headers ): array {
+	if ( is_admin() ) {
+		return $headers;
+	}
+
+	$csp = get_csp_headers();
+
+	if ( defined( 'CSP_REPORT_ONLY' ) && defined( 'WP_SENTRY_SECURITY_HEADER_ENDPOINT' ) ) {
+		$csp['report-uri'] = WP_SENTRY_SECURITY_HEADER_ENDPOINT;
+		$csp['report-to']  = 'csp-endpoint';
+	}
+
+	/**
+	 * We rely on the CSP_REPORT_ONLY .env value to decide whether we apply the CSP or just report the errors
+	 */
+	$csp_header                       = defined( 'CSP_REPORT_ONLY' ) && CSP_REPORT_ONLY ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy';
+	$csp_headers_array[ $csp_header ] = get_prepare_csp( $csp );
+
+
+	$custom_headers_array = [];
+
+	/**$custom_headers_array = [
+	 * 'X-Content-Type-Options'              => 'nosniff',
+	 * 'X-Frame-Options'                     => 'SAMEORIGIN',
+	 * 'X-XSS-Protection'                    => '1; mode=block',
+	 * 'Referrer-Policy'                     => 'no-referrer-when-downgrade',
+	 * 'Permissions-Policy'                  => 'accelerometer=(), geolocation=(), fullscreen=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=()',
+	 * ];**/
+
+	return wp_parse_args( $csp_headers_array, $custom_headers_array );
+}
+
+add_filter( 'wp_headers', __NAMESPACE__ . '\\wp_headers', 99 );
+
+/**
+ *
+ * Prepare CSP attribute values
+ *
+ * @param array $csp
+ *
+ * @return string
+ */
+function get_prepare_csp( array $csp ): string {
+	$csp_values = '';
+
+	if ( empty( $csp ) ) {
+		return $csp_values;
+	}
+
+	// Loop and not implode to add both key and value
+	foreach ( $csp as $key => $value ) {
+		if ( empty( $value ) ) {
+			continue;
+		}
+		$csp_values .= $key . ' ' . $value . '; ';
+	}
+
+	// Remove last space
+	return trim( $csp_values );
+}
+
+/**
+ * Generate CSP headers array
+ *
+ * @return array
+ * @author Alexandre Sadowski
+ */
+function get_csp_headers(): array {
+	$csp = [
+		'default-src'  => '\'self\'',
+		'script-src'   => '\'self\'',
+		'style-src'    => '\'self\'',
+		'img-src'      => '\'self\'',
+		'font-src'     => '\'self\'',
+		'connect-src'  => '\'self\'',
+		'frame-src'    => '\'self\'',
+		'manifest-src' => '\'self\'',
+		'worker-src'   => '\'self\'',
+		'object-src'   => '\'none\'',
+	];
+
+	if ( 'production' === WP_ENV ) {
+		//$csp = [];
+	}
+
+
+	return apply_filters( 'csp_headers', $csp );
+}
\ No newline at end of file

From 5704d635ff91772b63b66041386405cfb3b573e3 Mon Sep 17 00:00:00 2001
From: Alexandre Sadowski <asadowski@beapi.fr>
Date: Thu, 7 Nov 2024 12:45:54 +0100
Subject: [PATCH 2/2] fix PHPCS

---
 composer.json            | 6 +++++-
 default-http-headers.php | 8 +++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/composer.json b/composer.json
index 881f93f..b2b7b01 100644
--- a/composer.json
+++ b/composer.json
@@ -14,7 +14,11 @@
   "config": {
     "optimize-autoloader": true,
     "preferred-install": { "*": "dist" },
-    "sort-packages": true
+    "sort-packages": true,
+    "allow-plugins": {
+      "phpro/grumphp-shim": true,
+      "dealerdirect/phpcodesniffer-composer-installer": true
+    }
   },
   "require-dev": {
     "dealerdirect/phpcodesniffer-composer-installer": "v0.7.1",
diff --git a/default-http-headers.php b/default-http-headers.php
index 9655382..4050914 100644
--- a/default-http-headers.php
+++ b/default-http-headers.php
@@ -61,7 +61,6 @@ function wp_headers( array $headers ): array {
 	$csp_header                       = defined( 'CSP_REPORT_ONLY' ) && CSP_REPORT_ONLY ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy';
 	$csp_headers_array[ $csp_header ] = get_prepare_csp( $csp );
 
-
 	$custom_headers_array = [];
 
 	/**$custom_headers_array = [
@@ -124,10 +123,9 @@ function get_csp_headers(): array {
 		'object-src'   => '\'none\'',
 	];
 
-	if ( 'production' === WP_ENV ) {
+	//if ( 'production' === WP_ENV ) {
 		//$csp = [];
-	}
-
+	//}
 
 	return apply_filters( 'csp_headers', $csp );
-}
\ No newline at end of file
+}