Class SecurityHeadersMiddleware
Handles common security headers in a convenient way
Link: https://book.cakephp.org/3.0/en/controllers/middleware.html#security-header-middleware
Location: Http/Middleware/SecurityHeadersMiddleware.php
Constants summary
-
stringALL¶'all' -
stringALLOW_FROM¶'allow-from' -
stringBY_CONTENT_TYPE¶'by-content-type' -
stringBY_FTP_FILENAME¶'by-ftp-filename' -
stringDENY¶'deny' -
stringMASTER_ONLY¶'master-only' -
stringNONE¶'none' -
stringNOOPEN¶'noopen' -
stringNOSNIFF¶'nosniff' -
stringNO_REFERRER¶'no-referrer' -
stringNO_REFERRER_WHEN_DOWNGRADE¶'no-referrer-when-downgrade' -
stringORIGIN¶'origin' -
stringORIGIN_WHEN_CROSS_ORIGIN¶'origin-when-cross-origin' -
stringSAMEORIGIN¶'sameorigin' -
stringSAME_ORIGIN¶'same-origin' -
stringSTRICT_ORIGIN¶'strict-origin' -
stringSTRICT_ORIGIN_WHEN_CROSS_ORIGIN¶'strict-origin-when-cross-origin' -
stringUNSAFE_URL¶'unsafe-url' -
stringXSS_BLOCK¶'block' -
stringXSS_DISABLED¶'0' -
stringXSS_ENABLED¶'1' -
stringXSS_ENABLED_BLOCK¶'1; mode=block'
Properties summary
-
$headersprotectedarraySecurity related headers to set
Method Summary
-
__invoke() public
Serve assets if the path matches one. -
checkValues() protected
Convenience method to check if a value is in the list of allowed args -
noOpen() public
X-Download-Options -
noSniff() public
X-Content-Type-Options -
setCrossDomainPolicy() public
X-Permitted-Cross-Domain-Policies -
setReferrerPolicy() public
Referrer-Policy -
setXFrameOptions() public
X-Frame-Options -
setXssProtection() public
X-XSS-Protection
Method Detail
__invoke() public ¶
__invoke( Psr\Http\Message\ServerRequestInterface $request , Psr\Http\Message\ResponseInterface $response , callable $next )
Serve assets if the path matches one.
Parameters
- Psr\Http\Message\ServerRequestInterface $request
- The request.
- Psr\Http\Message\ResponseInterface $response
- The response.
- callable $next
- Callback to invoke the next middleware.
Returns
A response
checkValues() protected ¶
checkValues( string $value , array $allowed )
Convenience method to check if a value is in the list of allowed args
Parameters
- string $value
- Value to check
- array $allowed
- List of allowed values
Throws
Thrown when a value is invalid.
noOpen() public ¶
noOpen( )
X-Download-Options
Sets the header value for it to 'noopen'
Returns
$this
Link
noSniff() public ¶
noSniff( )
X-Content-Type-Options
Sets the header value for it to 'nosniff'
Returns
$this
Link
setCrossDomainPolicy() public ¶
setCrossDomainPolicy( string $policy = self::ALL )
X-Permitted-Cross-Domain-Policies
Parameters
- string $policy optional self::ALL
Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
Returns
$this
Link
setReferrerPolicy() public ¶
setReferrerPolicy( string $policy = self::SAME_ORIGIN )
Referrer-Policy
Parameters
- string $policy optional self::SAME_ORIGIN
Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
Returns
$this
Link
setXFrameOptions() public ¶
setXFrameOptions( string $option = self::SAMEORIGIN , string $url = null )
X-Frame-Options
Parameters
- string $option optional self::SAMEORIGIN
- Option value. Available Values: 'deny', 'sameorigin', 'allow-from
' - string $url optional null
- URL if mode is
allow-from
Returns
$this
Link
setXssProtection() public ¶
setXssProtection( string $mode = self::XSS_BLOCK )
X-XSS-Protection
Parameters
- string $mode optional self::XSS_BLOCK
- Mode value. Available Values: '1', '0', 'block'
Returns
$this