Class SecurityHeadersMiddleware
Handles common security headers in a convenient way
Properties summary
-
$headersprotectedSecurity related headers to setarray
Method Summary
- __invoke() publicServe assets if the path matches one.
- checkValues() protectedConvenience method to check if a value is in the list of allowed args
- noOpen() publicX-Download-Options
- noSniff() publicX-Content-Type-Options
- setCrossDomainPolicy() publicX-Permitted-Cross-Domain-Policies
- setReferrerPolicy() publicReferrer-Policy
- setXFrameOptions() publicX-Frame-Options
- setXssProtection() publicX-XSS-Protection
Method Detail
__invoke()source public
__invoke( Psr\Http\Message\ServerRequestInterface $request , Psr\Http\Message\ResponseInterface $response , callable $next )
Serve assets if the path matches one.
Parameters
- Psr\Http\Message\ServerRequestInterface
$request - The request.
- Psr\Http\Message\ResponseInterface
$response - The response.
- callable
$next - Callback to invoke the next middleware.
Returns
Psr\Http\Message\ResponseInterfaceA response
checkValues()source protected
checkValues( string $value , array $allowed )
Convenience method to check if a value is in the list of allowed args
Parameters
- string
$value - Value to check
- array
$allowed - List of allowed values
Throws
InvalidArgumentExceptionThrown when a value is invalid.
noOpen()source public
noOpen( )
X-Download-Options
Sets the header value for it to 'noopen'
Returns
$this
Link
https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspxnoSniff()source public
noSniff( )
X-Content-Type-Options
Sets the header value for it to 'nosniff'
Returns
$this
Link
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-OptionssetCrossDomainPolicy()source public
setCrossDomainPolicy( string $policy 'all' )
X-Permitted-Cross-Domain-Policies
Parameters
- string
$policyoptional 'all' - Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
Returns
$this
Link
https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.htmlsetReferrerPolicy()source public
setReferrerPolicy( string $policy 'same-origin' )
Referrer-Policy
Parameters
- string
$policyoptional 'same-origin' Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
Returns
$this
Link
https://w3c.github.io/webappsec-referrer-policysetXFrameOptions()source public
setXFrameOptions( string $option 'sameorigin' , string $url null )
X-Frame-Options
Parameters
- string
$optionoptional 'sameorigin' - Option value. Available Values: 'deny', 'sameorigin', 'allow-from
' - string
$urloptional null - URL if mode is
allow-from
Returns
$this
Link
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-OptionssetXssProtection()source public
setXssProtection( string $mode 'block' )
X-XSS-Protection
Parameters
- string
$modeoptional 'block' - Mode value. Available Values: '1', '0', 'block'
Returns
$this
Link
https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filterProperties detail
© 2005–2017 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/3.4/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html