CakePHP
  • Documentation
    • Book
    • API
    • Videos
    • Reporting Security Issues
    • Privacy Policy
    • Logos & Trademarks
  • Business Solutions
  • Swag
  • Road Trip
  • Team
  • Community
    • Community
    • Get Involved
    • Issues (Github)
    • Bakery
    • Featured Resources
    • Training
    • Meetups
    • My CakePHP
    • CakeFest
    • Newsletter
    • Linkedin
    • YouTube
    • Facebook
    • Twitter
    • Mastodon
    • Help & Support
    • Forum
    • Stack Overflow
    • IRC
    • Slack
    • Paid Support
CakePHP

C CakePHP 3.10 Red Velvet API

  • Project:
    • CakePHP
      • CakePHP
      • Authentication
      • Authorization
      • Chronos
      • Elastic Search
      • Queue
  • Version:
    • 3.10
      • 5.2
      • 5.1
      • 5.0
      • 4.6
      • 4.5
      • 4.4
      • 4.3
      • 4.2
      • 4.1
      • 4.0
      • 3.10
      • 3.9
      • 3.8
      • 3.7
      • 3.6
      • 3.5
      • 3.4
      • 3.3
      • 3.2
      • 3.1
      • 3.0
      • 2.10
      • 2.9
      • 2.8
      • 2.7
      • 2.6
      • 2.5
      • 2.4
      • 2.3
      • 2.2
      • 2.1
      • 2.0
      • 1.3
      • 1.2

Namespaces

  • Global
  • Cake
    • Auth
    • Cache
    • Collection
    • Command
    • Console
    • Controller
    • Core
    • Database
    • Datasource
    • Error
    • Event
    • Filesystem
    • Form
    • Http
      • Client
      • Cookie
      • Exception
      • Middleware
      • Session
    • I18n
    • Log
    • Mailer
    • Network
    • ORM
    • Routing
    • Shell
    • TestSuite
    • Utility
    • Validation
    • View

Class SecurityHeadersMiddleware

Handles common security headers in a convenient way

Namespace: Cake\Http\Middleware
Link: https://book.cakephp.org/3/en/controllers/middleware.html#security-header-middleware

Constants

  • string
    ALL ¶
    'all'
  • string
    ALLOW_FROM ¶
    'allow-from'
  • string
    BY_CONTENT_TYPE ¶
    'by-content-type'
  • string
    BY_FTP_FILENAME ¶
    'by-ftp-filename'
  • string
    DENY ¶
    'deny'
  • string
    MASTER_ONLY ¶
    'master-only'
  • string
    NONE ¶
    'none'
  • string
    NOOPEN ¶
    'noopen'
  • string
    NOSNIFF ¶
    'nosniff'
  • string
    NO_REFERRER ¶
    'no-referrer'
  • string
    NO_REFERRER_WHEN_DOWNGRADE ¶
    'no-referrer-when-downgrade'
  • string
    ORIGIN ¶
    'origin'
  • string
    ORIGIN_WHEN_CROSS_ORIGIN ¶
    'origin-when-cross-origin'
  • string
    SAMEORIGIN ¶
    'sameorigin'
  • string
    SAME_ORIGIN ¶
    'same-origin'
  • string
    STRICT_ORIGIN ¶
    'strict-origin'
  • string
    STRICT_ORIGIN_WHEN_CROSS_ORIGIN ¶
    'strict-origin-when-cross-origin'
  • string
    UNSAFE_URL ¶
    'unsafe-url'
  • string
    XSS_BLOCK ¶
    'block'
  • string
    XSS_DISABLED ¶
    '0'
  • string
    XSS_ENABLED ¶
    '1'
  • string
    XSS_ENABLED_BLOCK ¶
    '1; mode=block'

Property Summary

  • $headers protected
    array

    Security related headers to set

Method Summary

  • __invoke() public

    Serve assets if the path matches one.

  • checkValues() protected

    Convenience method to check if a value is in the list of allowed args

  • noOpen() public

    X-Download-Options

  • noSniff() public

    X-Content-Type-Options

  • setCrossDomainPolicy() public

    X-Permitted-Cross-Domain-Policies

  • setReferrerPolicy() public

    Referrer-Policy

  • setXFrameOptions() public

    X-Frame-Options

  • setXssProtection() public

    X-XSS-Protection

Method Detail

__invoke() ¶ public

__invoke(Psr\Http\Message\ServerRequestInterface $request, Psr\Http\Message\ResponseInterface $response, callable $next): Psr\Http\Message\ResponseInterface

Serve assets if the path matches one.

Parameters
Psr\Http\Message\ServerRequestInterface $request

The request.

Psr\Http\Message\ResponseInterface $response

The response.

callable $next

Callback to invoke the next middleware.

Returns
Psr\Http\Message\ResponseInterface

checkValues() ¶ protected

checkValues(string $value, string[] $allowed): void

Convenience method to check if a value is in the list of allowed args

Parameters
string $value

Value to check

string[] $allowed

List of allowed values

Returns
void
Throws
InvalidArgumentException
Thrown when a value is invalid.

noOpen() ¶ public

noOpen(): $this

X-Download-Options

Sets the header value for it to 'noopen'

Returns
$this
Links
https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

noSniff() ¶ public

noSniff(): $this

X-Content-Type-Options

Sets the header value for it to 'nosniff'

Returns
$this
Links
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

setCrossDomainPolicy() ¶ public

setCrossDomainPolicy(string $policy = self::ALL): $this

X-Permitted-Cross-Domain-Policies

Parameters
string $policy optional

Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'

Returns
$this
Links
https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

setReferrerPolicy() ¶ public

setReferrerPolicy(string $policy = self::SAME_ORIGIN): $this

Referrer-Policy

Parameters
string $policy optional

Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'

Returns
$this
Links
https://w3c.github.io/webappsec-referrer-policy

setXFrameOptions() ¶ public

setXFrameOptions(string $option = self::SAMEORIGIN, string $url = null): $this

X-Frame-Options

Parameters
string $option optional

Option value. Available Values: 'deny', 'sameorigin', 'allow-from '

string $url optional

URL if mode is allow-from

Returns
$this
Links
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

setXssProtection() ¶ public

setXssProtection(string $mode = self::XSS_BLOCK): $this

X-XSS-Protection

Parameters
string $mode optional

Mode value. Available Values: '1', '0', 'block'

Returns
$this
Links
https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter

Property Detail

$headers ¶ protected

Security related headers to set

Type
array
OpenHub
Pingping
Linode
  • Business Solutions
  • Showcase
  • Documentation
  • Book
  • API
  • Videos
  • Reporting Security Issues
  • Privacy Policy
  • Logos & Trademarks
  • Community
  • Get Involved
  • Issues (Github)
  • Bakery
  • Featured Resources
  • Training
  • Meetups
  • My CakePHP
  • CakeFest
  • Newsletter
  • Linkedin
  • YouTube
  • Facebook
  • Twitter
  • Mastodon
  • Help & Support
  • Forum
  • Stack Overflow
  • IRC
  • Slack
  • Paid Support

Generated using CakePHP API Docs