-
Notifications
You must be signed in to change notification settings - Fork 821
/
requestprocessors.yml
128 lines (115 loc) · 4.89 KB
/
requestprocessors.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
---
Name: requestprocessors
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Control\Director:
# Note: Don't add 'class' config here
properties:
Middlewares:
TrustedProxyMiddleware: '%$SilverStripe\Control\Middleware\TrustedProxyMiddleware'
AllowedHostsMiddleware: '%$SilverStripe\Control\Middleware\AllowedHostsMiddleware'
SessionMiddleware: '%$SilverStripe\Control\Middleware\SessionMiddleware'
FlushMiddleware: '%$SilverStripe\Control\Middleware\FlushMiddleware'
ChangeDetectionMiddleware: '%$SilverStripe\Control\Middleware\ChangeDetectionMiddleware'
HTTPCacheControleMiddleware: '%$SilverStripe\Control\Middleware\HTTPCacheControlMiddleware'
CanonicalURLMiddleware: '%$SilverStripe\Control\Middleware\CanonicalURLMiddleware'
SilverStripe\Control\Middleware\AllowedHostsMiddleware:
properties:
AllowedHosts: '`SS_ALLOWED_HOSTS`'
SilverStripe\Control\Middleware\TrustedProxyMiddleware:
properties:
TrustedProxyIPs: '`SS_TRUSTED_PROXY_IPS`'
SecurityRateLimitMiddleware:
class: SilverStripe\Control\Middleware\RateLimitMiddleware
properties:
ExtraKey: 'Security'
MaxAttempts: 10
Decay: 1
RateLimitedSecurityController:
class: SilverStripe\Control\Middleware\RequestHandlerMiddlewareAdapter
properties:
RequestHandler: '%$SilverStripe\Security\Security'
Middlewares:
- '%$SecurityRateLimitMiddleware'
---
Name: canonicalurls
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Control\Middleware\CanonicalURLMiddleware:
properties:
ForceSSL: false
ForceWWW: false
---
Name: url_specials-middleware
After:
- 'requestprocessors'
- 'coresecurity'
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Control\Director:
properties:
Middlewares:
URLSpecialsMiddleware: '%$SilverStripe\Control\Middleware\URLSpecialsMiddleware'
SilverStripe\Control\Middleware\URLSpecialsMiddleware:
class: SilverStripe\Control\Middleware\URLSpecialsMiddleware
properties:
ConfirmationStorageId: 'url-specials'
ConfirmationFormUrl: '/dev/confirm'
Bypasses:
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\CliBypass'
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass("dev")'
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/confirm")'
EnforceAuthentication: true
AffectedPermissions:
- ADMIN
---
Name: dev_urls-confirmation-middleware
After:
- 'url_specials-middleware'
---
# This middleware enforces confirmation (CSRF protection) for all URLs
# that start with "dev/*", with the exception for "dev/build" which is handled
# by url_specials-middleware
# If you want to make exceptions for some URLs,
# see "dev_urls-confirmation-exceptions" config
SilverStripe\Core\Injector\Injector:
SilverStripe\Control\Director:
properties:
Middlewares:
DevUrlsConfirmationMiddleware: '%$DevUrlsConfirmationMiddleware'
DevUrlsConfirmationMiddleware:
class: SilverStripe\Control\Middleware\DevelopmentAdminConfirmationMiddleware
constructor:
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev")'
properties:
ConfirmationStorageId: 'dev-urls'
ConfirmationFormUrl: '/dev/confirm'
Bypasses:
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\CliBypass'
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass("dev")'
EnforceAuthentication: false
---
Name: dev_urls-confirmation-exceptions
After:
- 'dev_urls-confirmation-middleware'
---
# This config is the place to add custom bypasses for modules providing UIs
# on top of DevelopmentAdmin (dev/*)
# If the module has its own CSRF protection, the easiest way would be to
# simply add UrlPathStartswith with the path to the mount point.
# Example:
# # This will prevent confirmation for all URLs starting with "dev/custom-module-endpoint/"
# # WARNING: this won't prevent confirmation for "dev/custom-module-endpoint-suffix/"
# - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/custom-module-endpoint")'
# If the module does not implement its own CSRF protection but exposes all
# dangerous effects through POST, then you could simply exclude GET and HEAD requests
# by using HttpMethodBypass("GET", "HEAD"). In that case GET/HEAD requests will not
# trigger confirmation redirects.
SilverStripe\Core\Injector\Injector:
DevUrlsConfirmationMiddleware:
properties:
Bypasses:
# The confirmation form is where people will be redirected for confirmation. We don't want to block it.
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/confirm")'
# Allows GET requests to the dev index page
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\Url("dev", ["GET", "HEAD"])'