Class SecurityHeadersMiddleware

Handles common security headers in a convenient way

Namespace: Cake\Http\Middleware
Link: https://book.cakephp.org/3.0/en/controllers/middleware.html#security-header-middleware
Location: Http/Middleware/SecurityHeadersMiddleware.php

Constants summary

string

ALL

'all'
string

ALLOW_FROM

'allow-from'
string

BY_CONTENT_TYPE

'by-content-type'
string

BY_FTP_FILENAME

'by-ftp-filename'
string

DENY

'deny'
string

MASTER_ONLY

'master-only'
string

NONE

'none'
string

NOOPEN

'noopen'
string

NOSNIFF

'nosniff'
string

NO_REFERRER

'no-referrer'
string

NO_REFERRER_WHEN_DOWNGRADE

'no-referrer-when-downgrade'
string

ORIGIN

'origin'
string

ORIGIN_WHEN_CROSS_ORIGIN

'origin-when-cross-origin'
string

SAMEORIGIN

'sameorigin'
string

SAME_ORIGIN

'same-origin'
string

STRICT_ORIGIN

'strict-origin'
string

STRICT_ORIGIN_WHEN_CROSS_ORIGIN

'strict-origin-when-cross-origin'
string

UNSAFE_URL

'unsafe-url'
string

XSS_BLOCK

'block'
string

XSS_DISABLED

'0'
string

XSS_ENABLED

'1'
string

XSS_ENABLED_BLOCK

'1; mode=block'

Properties summary

$headers protected

array
Security related headers to set

Method Summary

__invoke() public
Serve assets if the path matches one.
checkValues() protected
Convenience method to check if a value is in the list of allowed args
noOpen() public
X-Download-Options
noSniff() public
X-Content-Type-Options
setCrossDomainPolicy() public
X-Permitted-Cross-Domain-Policies
setReferrerPolicy() public
Referrer-Policy
setXFrameOptions() public
X-Frame-Options
setXssProtection() public
X-XSS-Protection

Method Detail

__invoke()source public

__invoke( Psr\Http\Message\ServerRequestInterface $request , Psr\Http\Message\ResponseInterface $response , callable $next )

Serve assets if the path matches one.

Parameters

Psr\Http\Message\ServerRequestInterface $request: The request.
Psr\Http\Message\ResponseInterface $response: The response.
callable $next: Callback to invoke the next middleware.

Returns

Psr\Http\Message\ResponseInterface
A response

checkValues()source protected

checkValues( string $value , array $allowed )

Convenience method to check if a value is in the list of allowed args

Parameters

string $value: Value to check
array $allowed: List of allowed values

Throws

InvalidArgumentException
Thrown when a value is invalid.

noOpen()source public

noOpen( )

X-Download-Options

Sets the header value for it to 'noopen'

Returns

$this

Link

https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

noSniff()source public

noSniff( )

X-Content-Type-Options

Sets the header value for it to 'nosniff'

Returns

$this

Link

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

setCrossDomainPolicy()source public

setCrossDomainPolicy( string $policy = self::ALL )

X-Permitted-Cross-Domain-Policies

Parameters

string $policy optional self::ALL: Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'

Returns

$this

Link

https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

setReferrerPolicy()source public

setReferrerPolicy( string $policy = self::SAME_ORIGIN )

Referrer-Policy

Parameters

string $policy optional self::SAME_ORIGIN: Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'

Returns

$this

Link

https://w3c.github.io/webappsec-referrer-policy

setXFrameOptions()source public

setXFrameOptions( string $option = self::SAMEORIGIN , string $url = null )

X-Frame-Options

Parameters

string $option optional self::SAMEORIGIN: Option value. Available Values: 'deny', 'sameorigin', 'allow-from '
string $url optional null: URL if mode is allow-from

Returns

$this

Link

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

setXssProtection()source public

setXssProtection( string $mode = self::XSS_BLOCK )

X-XSS-Protection

Parameters

string $mode optional self::XSS_BLOCK: Mode value. Available Values: '1', '0', 'block'

Returns

$this

Link

https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter

Properties detail

$headerssource

protected array

Security related headers to set

[]

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/3.7/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html