Class SecurityHeadersMiddleware
Handles common security headers in a convenient way
Link: https://book.cakephp.org/3/en/controllers/middleware.html#security-header-middleware
Constants
-
stringALL ¶'all' -
stringALLOW_FROM ¶'allow-from' -
stringBY_CONTENT_TYPE ¶'by-content-type' -
stringBY_FTP_FILENAME ¶'by-ftp-filename' -
stringDENY ¶'deny' -
stringMASTER_ONLY ¶'master-only' -
stringNONE ¶'none' -
stringNOOPEN ¶'noopen' -
stringNOSNIFF ¶'nosniff' -
stringNO_REFERRER ¶'no-referrer' -
stringNO_REFERRER_WHEN_DOWNGRADE ¶'no-referrer-when-downgrade' -
stringORIGIN ¶'origin' -
stringORIGIN_WHEN_CROSS_ORIGIN ¶'origin-when-cross-origin' -
stringSAMEORIGIN ¶'sameorigin' -
stringSAME_ORIGIN ¶'same-origin' -
stringSTRICT_ORIGIN ¶'strict-origin' -
stringSTRICT_ORIGIN_WHEN_CROSS_ORIGIN ¶'strict-origin-when-cross-origin' -
stringUNSAFE_URL ¶'unsafe-url' -
stringXSS_BLOCK ¶'block' -
stringXSS_DISABLED ¶'0' -
stringXSS_ENABLED ¶'1' -
stringXSS_ENABLED_BLOCK ¶'1; mode=block'
Property Summary
-
$headers protected
arraySecurity related headers to set
Method Summary
-
__invoke() public
Serve assets if the path matches one.
-
checkValues() protected
Convenience method to check if a value is in the list of allowed args
-
noOpen() public
X-Download-Options
-
noSniff() public
X-Content-Type-Options
-
setCrossDomainPolicy() public
X-Permitted-Cross-Domain-Policies
-
setReferrerPolicy() public
Referrer-Policy
-
setXFrameOptions() public
X-Frame-Options
-
setXssProtection() public
X-XSS-Protection
Method Detail
__invoke() ¶ public
__invoke(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Message\ResponseInterface $response, callable $next): Psr\Http\Message\ResponseInterfaceServe assets if the path matches one.
Parameters
-
Psr\Http\Message\ServerRequestInterface$request The request.
-
Psr\Http\Message\ResponseInterface$response The response.
-
callable$next Callback to invoke the next middleware.
Returns
Psr\Http\Message\ResponseInterfacecheckValues() ¶ protected
checkValues(string $value, string[] $allowed): voidConvenience method to check if a value is in the list of allowed args
Parameters
-
string$value Value to check
-
string[]$allowed List of allowed values
Returns
voidThrows
InvalidArgumentExceptionThrown when a value is invalid.
noOpen() ¶ public
noOpen(): $thisX-Download-Options
Sets the header value for it to 'noopen'
Returns
$thisLinks
noSniff() ¶ public
noSniff(): $thisX-Content-Type-Options
Sets the header value for it to 'nosniff'
Returns
$thisLinks
setCrossDomainPolicy() ¶ public
setCrossDomainPolicy(string $policy = self::ALL): $thisX-Permitted-Cross-Domain-Policies
Parameters
-
string$policy optional Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
Returns
$thisLinks
setReferrerPolicy() ¶ public
setReferrerPolicy(string $policy = self::SAME_ORIGIN): $thisReferrer-Policy
Parameters
-
string$policy optional Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
Returns
$thisLinks
setXFrameOptions() ¶ public
setXFrameOptions(string $option = self::SAMEORIGIN, string $url = null): $thisX-Frame-Options
Parameters
-
string$option optional Option value. Available Values: 'deny', 'sameorigin', 'allow-from
' -
string$url optional URL if mode is
allow-from
Returns
$thisLinks
setXssProtection() ¶ public
setXssProtection(string $mode = self::XSS_BLOCK): $thisX-XSS-Protection
Parameters
-
string$mode optional Mode value. Available Values: '1', '0', 'block'
Returns
$this