silverstripe-framework/_config/requestprocessors.yml

127 lines
4.7 KiB
YAML
Raw Normal View History

---
Name: requestprocessors
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Control\Director:
2022-12-07 22:44:47 +01:00
# Note: Don't add 'class' config here
properties:
Middlewares:
2017-07-21 12:17:18 +02:00
TrustedProxyMiddleware: '%$SilverStripe\Control\Middleware\TrustedProxyMiddleware'
AllowedHostsMiddleware: '%$SilverStripe\Control\Middleware\AllowedHostsMiddleware'
SessionMiddleware: '%$SilverStripe\Control\Middleware\SessionMiddleware'
FlushMiddleware: '%$SilverStripe\Control\Middleware\FlushMiddleware'
ChangeDetectionMiddleware: '%$SilverStripe\Control\Middleware\ChangeDetectionMiddleware'
2018-06-12 07:17:17 +02:00
HTTPCacheControleMiddleware: '%$SilverStripe\Control\Middleware\HTTPCacheControlMiddleware'
CanonicalURLMiddleware: '%$SilverStripe\Control\Middleware\CanonicalURLMiddleware'
SilverStripe\Control\Middleware\AllowedHostsMiddleware:
properties:
AllowedHosts: '`SS_ALLOWED_HOSTS`'
SilverStripe\Control\Middleware\TrustedProxyMiddleware:
properties:
TrustedProxyIPs: '`SS_TRUSTED_PROXY_IPS`'
2017-09-27 15:44:38 +02:00
SecurityRateLimitMiddleware:
class: SilverStripe\Control\Middleware\RateLimitMiddleware
properties:
ExtraKey: 'Security'
MaxAttempts: 10
Decay: 1
RateLimitedSecurityController:
class: SilverStripe\Control\Middleware\RequestHandlerMiddlewareAdapter
properties:
RequestHandler: '%$SilverStripe\Security\Security'
Middlewares:
2017-09-27 15:44:38 +02:00
- '%$SecurityRateLimitMiddleware'
---
Name: canonicalurls
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Control\Middleware\CanonicalURLMiddleware:
properties:
ForceSSL: false
ForceWWW: false
---
Name: url_specials-middleware
After:
- 'requestprocessors'
- 'coresecurity'
---
SilverStripe\Core\Injector\Injector:
SilverStripe\Control\Director:
properties:
Middlewares:
URLSpecialsMiddleware: '%$SilverStripe\Control\Middleware\URLSpecialsMiddleware'
SilverStripe\Control\Middleware\URLSpecialsMiddleware:
class: SilverStripe\Control\Middleware\URLSpecialsMiddleware
properties:
ConfirmationStorageId: 'url-specials'
ConfirmationFormUrl: '/dev/confirm'
Bypasses:
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass("dev")'
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/confirm")'
EnforceAuthentication: true
AffectedPermissions:
- ADMIN
---
Name: dev_urls-confirmation-middleware
After:
- 'url_specials-middleware'
---
# This middleware enforces confirmation (CSRF protection) for all URLs
# that start with "dev/*", with the exception for "dev/build" which is handled
# by url_specials-middleware
# If you want to make exceptions for some URLs,
# see "dev_urls-confirmation-exceptions" config
SilverStripe\Core\Injector\Injector:
SilverStripe\Control\Director:
properties:
Middlewares:
DevUrlsConfirmationMiddleware: '%$DevUrlsConfirmationMiddleware'
DevUrlsConfirmationMiddleware:
2023-10-31 05:20:58 +01:00
class: SilverStripe\Control\Middleware\DevelopmentAdminConfirmationMiddleware
constructor:
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev")'
properties:
ConfirmationStorageId: 'dev-urls'
ConfirmationFormUrl: '/dev/confirm'
Bypasses:
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\EnvironmentBypass("dev")'
EnforceAuthentication: false
---
Name: dev_urls-confirmation-exceptions
After:
- 'dev_urls-confirmation-middleware'
---
# This config is the place to add custom bypasses for modules providing UIs
# on top of DevelopmentAdmin (dev/*)
# If the module has its own CSRF protection, the easiest way would be to
# simply add UrlPathStartswith with the path to the mount point.
# Example:
# # This will prevent confirmation for all URLs starting with "dev/custom-module-endpoint/"
# # WARNING: this won't prevent confirmation for "dev/custom-module-endpoint-suffix/"
# - '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/custom-module-endpoint")'
# If the module does not implement its own CSRF protection but exposes all
# dangerous effects through POST, then you could simply exclude GET and HEAD requests
# by using HttpMethodBypass("GET", "HEAD"). In that case GET/HEAD requests will not
# trigger confirmation redirects.
SilverStripe\Core\Injector\Injector:
DevUrlsConfirmationMiddleware:
properties:
Bypasses:
# The confirmation form is where people will be redirected for confirmation. We don't want to block it.
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\UrlPathStartswith("dev/confirm")'
# Allows GET requests to the dev index page
- '%$SilverStripe\Control\Middleware\ConfirmationMiddleware\Url("dev", ["GET", "HEAD"])'