Class SecurityHeadersMiddleware
Handles common security headers in a convenient way
Link: https://book.cakephp.org/4/en/controllers/middleware.html#security-header-middleware
Constants
-
string
ALL ¶'all'
-
string
ALLOW_FROM ¶'allow-from'
-
string
BY_CONTENT_TYPE ¶'by-content-type'
-
string
BY_FTP_FILENAME ¶'by-ftp-filename'
-
string
DENY ¶'deny'
-
string
MASTER_ONLY ¶'master-only'
-
string
NONE ¶'none'
-
string
NOOPEN ¶'noopen'
-
string
NOSNIFF ¶'nosniff'
-
string
NO_REFERRER ¶'no-referrer'
-
string
NO_REFERRER_WHEN_DOWNGRADE ¶'no-referrer-when-downgrade'
-
string
ORIGIN ¶'origin'
-
string
ORIGIN_WHEN_CROSS_ORIGIN ¶'origin-when-cross-origin'
-
string
SAMEORIGIN ¶'sameorigin'
-
string
SAME_ORIGIN ¶'same-origin'
-
string
STRICT_ORIGIN ¶'strict-origin'
-
string
STRICT_ORIGIN_WHEN_CROSS_ORIGIN ¶'strict-origin-when-cross-origin'
-
string
UNSAFE_URL ¶'unsafe-url'
-
string
XSS_BLOCK ¶'block'
-
string
XSS_DISABLED ¶'0'
-
string
XSS_ENABLED ¶'1'
-
string
XSS_ENABLED_BLOCK ¶'1; mode=block'
Property Summary
-
$headers protected
array<string, mixed>
Security related headers to set
Method Summary
-
checkValues() protected
Convenience method to check if a value is in the list of allowed args
-
noOpen() public
X-Download-Options
-
noSniff() public
X-Content-Type-Options
-
process() public
Serve assets if the path matches one.
-
setCrossDomainPolicy() public
X-Permitted-Cross-Domain-Policies
-
setReferrerPolicy() public
Referrer-Policy
-
setXFrameOptions() public
X-Frame-Options
-
setXssProtection() public
X-XSS-Protection
Method Detail
checkValues() ¶ protected
checkValues(string $value, array<string> $allowed): void
Convenience method to check if a value is in the list of allowed args
Parameters
-
string
$value Value to check
-
array<string>
$allowed List of allowed values
Returns
void
Throws
InvalidArgumentException
Thrown when a value is invalid.
noOpen() ¶ public
noOpen(): $this
X-Download-Options
Sets the header value for it to 'noopen'
Returns
$this
Links
noSniff() ¶ public
noSniff(): $this
X-Content-Type-Options
Sets the header value for it to 'nosniff'
Returns
$this
Links
process() ¶ public
process(ServerRequestInterface $request, RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface
Serve assets if the path matches one.
Processes an incoming server request in order to produce a response. If unable to produce the response itself, it may delegate to the provided request handler to do so.
Parameters
-
ServerRequestInterface
$request The request.
-
RequestHandlerInterface
$handler The request handler.
Returns
Psr\Http\Message\ResponseInterface
setCrossDomainPolicy() ¶ public
setCrossDomainPolicy(string $policy = self::ALL): $this
X-Permitted-Cross-Domain-Policies
Parameters
-
string
$policy optional Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
Returns
$this
Links
setReferrerPolicy() ¶ public
setReferrerPolicy(string $policy = self::SAME_ORIGIN): $this
Referrer-Policy
Parameters
-
string
$policy optional Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
Returns
$this
Links
setXFrameOptions() ¶ public
setXFrameOptions(string $option = self::SAMEORIGIN, string|null $url = null): $this
X-Frame-Options
Parameters
-
string
$option optional Option value. Available Values: 'deny', 'sameorigin', 'allow-from
' -
string|null
$url optional URL if mode is
allow-from
Returns
$this
Links
setXssProtection() ¶ public
setXssProtection(string $mode = self::XSS_BLOCK): $this
X-XSS-Protection
Parameters
-
string
$mode optional Mode value. Available Values: '1', '0', 'block'
Returns
$this