Class SecurityHeadersMiddleware

Handles common security headers in a convenient way

Properties summary

  • $headers protected
    array
    Security related headers to set

Method Summary

Method Detail

__invoke()source public

__invoke( Psr\Http\Message\ServerRequestInterface $request , Psr\Http\Message\ResponseInterface $response , callable $next )

Serve assets if the path matches one.

Parameters

Psr\Http\Message\ServerRequestInterface $request
The request.
Psr\Http\Message\ResponseInterface $response
The response.
callable $next
Callback to invoke the next middleware.

Returns

Psr\Http\Message\ResponseInterface
A response

checkValues()source protected

checkValues( string $value , array $allowed )

Convenience method to check if a value is in the list of allowed args

Parameters

string $value
Value to check
array $allowed
List of allowed values

Throws

InvalidArgumentException
Thrown when a value is invalid.

noOpen()source public

noOpen( )

X-Download-Options

Sets the header value for it to 'noopen'

Returns


$this

Link

https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

noSniff()source public

noSniff( )

X-Content-Type-Options

Sets the header value for it to 'nosniff'

Returns


$this

Link

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

setCrossDomainPolicy()source public

setCrossDomainPolicy( string $policy 'all' )

X-Permitted-Cross-Domain-Policies

Parameters

string $policy optional 'all'
Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'

Returns


$this

Link

https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

setReferrerPolicy()source public

setReferrerPolicy( string $policy 'same-origin' )

Referrer-Policy

Parameters

string $policy optional 'same-origin'

Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'

Returns


$this

Link

https://w3c.github.io/webappsec-referrer-policy

setXFrameOptions()source public

setXFrameOptions( string $option 'sameorigin' , string $url null )

X-Frame-Options

Parameters

string $option optional 'sameorigin'
Option value. Available Values: 'deny', 'sameorigin', 'allow-from '
string $url optional null
URL if mode is allow-from

Returns


$this

Link

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

setXssProtection()source public

setXssProtection( string $mode 'block' )

X-XSS-Protection

Parameters

string $mode optional 'block'
Mode value. Available Values: '1', '0', 'block'

Returns


$this

Link

https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter

Properties detail

$headerssource

protected array

Security related headers to set

[]

© 2005–2017 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/3.4/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html