Class SecurityHeadersMiddleware

Handles common security headers in a convenient way

Constants summary

  • string
    ALL
    'all'
  • string
    ALLOW_FROM
    'allow-from'
  • string
    BY_CONTENT_TYPE
    'by-content-type'
  • string
    BY_FTP_FILENAME
    'by-ftp-filename'
  • string
    DENY
    'deny'
  • string
    MASTER_ONLY
    'master-only'
  • string
    NONE
    'none'
  • string
    NOOPEN
    'noopen'
  • string
    NOSNIFF
    'nosniff'
  • string
    NO_REFERRER
    'no-referrer'
  • string
    NO_REFERRER_WHEN_DOWNGRADE
    'no-referrer-when-downgrade'
  • string
    ORIGIN
    'origin'
  • string
    ORIGIN_WHEN_CROSS_ORIGIN
    'origin-when-cross-origin'
  • string
    SAMEORIGIN
    'sameorigin'
  • string
    SAME_ORIGIN
    'same-origin'
  • string
    STRICT_ORIGIN
    'strict-origin'
  • string
    STRICT_ORIGIN_WHEN_CROSS_ORIGIN
    'strict-origin-when-cross-origin'
  • string
    UNSAFE_URL
    'unsafe-url'
  • string
    XSS_BLOCK
    'block'
  • string
    XSS_DISABLED
    '0'
  • string
    XSS_ENABLED
    '1'
  • string
    XSS_ENABLED_BLOCK
    '1; mode=block'

Properties summary

  • $headers protected
    array

    Security related headers to set

Method Summary

Method Detail

checkValues() protected

checkValues(string $value, array $allowed)

Convenience method to check if a value is in the list of allowed args

Parameters

string $value

Value to check

string[] $allowed

List of allowed values

Throws

InvalidArgumentException
Thrown when a value is invalid.

noOpen() public

noOpen()

X-Download-Options

Sets the header value for it to 'noopen'

Returns

$this

Links

noSniff() public

noSniff()

X-Content-Type-Options

Sets the header value for it to 'nosniff'

Returns

$this

Links

process() public

process(\Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Server\RequestHandlerInterface $handler)

Serve assets if the path matches one.

Parameters

\Psr\Http\Message\ServerRequestInterface $request

The request.

\Psr\Http\Server\RequestHandlerInterface $handler

The request handler.

Returns

\Psr\Http\Message\ResponseInterface

A response.

setCrossDomainPolicy() public

setCrossDomainPolicy(string $policy)

X-Permitted-Cross-Domain-Policies

Parameters

string $policy optional

Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'

Returns

$this

Links

setReferrerPolicy() public

setReferrerPolicy(string $policy)

Referrer-Policy

Parameters

string $policy optional

Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'

Returns

$this

Links

setXFrameOptions() public

setXFrameOptions(string $option, ?string $url)

X-Frame-Options

Parameters

string $option optional

Option value. Available Values: 'deny', 'sameorigin', 'allow-from '

string $url optional

URL if mode is allow-from

Returns

$this

Links

setXssProtection() public

setXssProtection(string $mode)

X-XSS-Protection

Parameters

string $mode optional

Mode value. Available Values: '1', '0', 'block'

Returns

$this

Links

Property Detail

$headers protected

Security related headers to set

Type

array

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.1/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html