Class SecurityHeadersMiddleware

Handles common security headers in a convenient way

Namespace: Cake\Http\Middleware

Constants summary

  • string
    ALL
    'all'
  • string
    ALLOW_FROM
    'allow-from'
  • string
    BY_CONTENT_TYPE
    'by-content-type'
  • string
    BY_FTP_FILENAME
    'by-ftp-filename'
  • string
    DENY
    'deny'
  • string
    MASTER_ONLY
    'master-only'
  • string
    NONE
    'none'
  • string
    NOOPEN
    'noopen'
  • string
    NOSNIFF
    'nosniff'
  • string
    NO_REFERRER
    'no-referrer'
  • string
    NO_REFERRER_WHEN_DOWNGRADE
    'no-referrer-when-downgrade'
  • string
    ORIGIN
    'origin'
  • string
    ORIGIN_WHEN_CROSS_ORIGIN
    'origin-when-cross-origin'
  • string
    SAMEORIGIN
    'sameorigin'
  • string
    SAME_ORIGIN
    'same-origin'
  • string
    STRICT_ORIGIN
    'strict-origin'
  • string
    STRICT_ORIGIN_WHEN_CROSS_ORIGIN
    'strict-origin-when-cross-origin'
  • string
    UNSAFE_URL
    'unsafe-url'
  • string
    XSS_BLOCK
    'block'
  • string
    XSS_DISABLED
    '0'
  • string
    XSS_ENABLED
    '1'
  • string
    XSS_ENABLED_BLOCK
    '1; mode=block'

Properties summary

  • $headers protected
    array

    Security related headers to set

Method Summary

Method Detail

checkValues() protected 

checkValues(string $value, array $allowed)

Convenience method to check if a value is in the list of allowed args

Parameters

string $value

Value to check

string[] $allowed

List of allowed values

Throws

InvalidArgumentException
Thrown when a value is invalid.

noOpen() public 

noOpen()

X-Download-Options

Sets the header value for it to 'noopen'

Returns

$this

Links

https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

noSniff() public 

noSniff()

X-Content-Type-Options

Sets the header value for it to 'nosniff'

Returns

$this

Links

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

process() public 

process(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Server\RequestHandlerInterface $handler)

Serve assets if the path matches one.

Parameters

\Psr\Http\Message\ServerRequestInterface $request

The request.

\Psr\Http\Server\RequestHandlerInterface $handler

The request handler.

Returns

\Psr\Http\Message\ResponseInterface

A response.

setCrossDomainPolicy() public 

setCrossDomainPolicy(string $policy)

X-Permitted-Cross-Domain-Policies

Parameters

string $policy optional

Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'

Returns

$this

Links

https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

setReferrerPolicy() public 

setReferrerPolicy(string $policy)

Referrer-Policy

Parameters

string $policy optional

Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'

Returns

$this

Links

https://w3c.github.io/webappsec-referrer-policy

setXFrameOptions() public 

setXFrameOptions(string $option, ?string $url)

X-Frame-Options

Parameters

string $option optional

Option value. Available Values: 'deny', 'sameorigin', 'allow-from '

string $url optional

URL if mode is allow-from

Returns

$this

Links

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

setXssProtection() public 

setXssProtection(string $mode)

X-XSS-Protection

Parameters

string $mode optional

Mode value. Available Values: '1', '0', 'block'

Returns

$this

Links

https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter

Property Detail

$headers protected

Security related headers to set

Type

array

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.1/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html