Class SecurityHeadersMiddleware

Handles common security headers in a convenient way

Namespace: Cake\Http\Middleware
Link: https://book.cakephp.org/5/en/controllers/middleware.html#security-header-middleware

Constants

string

ALL ¶
```
'all'
```
string

ALLOW_FROM ¶
```
'allow-from'
```
string

BY_CONTENT_TYPE ¶
```
'by-content-type'
```
string

BY_FTP_FILENAME ¶
```
'by-ftp-filename'
```
string

DENY ¶
```
'deny'
```
string

MASTER_ONLY ¶
```
'master-only'
```
string

NONE ¶
```
'none'
```
string

NOOPEN ¶
```
'noopen'
```
string

NOSNIFF ¶
```
'nosniff'
```
string

NO_REFERRER ¶
```
'no-referrer'
```
string

NO_REFERRER_WHEN_DOWNGRADE ¶
```
'no-referrer-when-downgrade'
```
string

ORIGIN ¶
```
'origin'
```
string

ORIGIN_WHEN_CROSS_ORIGIN ¶
```
'origin-when-cross-origin'
```
string

SAMEORIGIN ¶
```
'sameorigin'
```
string

SAME_ORIGIN ¶
```
'same-origin'
```
string

STRICT_ORIGIN ¶
```
'strict-origin'
```
string

STRICT_ORIGIN_WHEN_CROSS_ORIGIN ¶
```
'strict-origin-when-cross-origin'
```
string

UNSAFE_URL ¶
```
'unsafe-url'
```
string

XSS_BLOCK ¶
```
'block'
```
string

XSS_DISABLED ¶
```
'0'
```
string

XSS_ENABLED ¶
```
'1'
```
string

XSS_ENABLED_BLOCK ¶
```
'1; mode=block'
```

Property Summary

$headers protected

array<string, mixed>

Security related headers to set

Method Summary

checkValues() protected

Convenience method to check if a value is in the list of allowed args
noOpen() public

X-Download-Options
noSniff() public

X-Content-Type-Options
process() public

Serve assets if the path matches one.
setCrossDomainPolicy() public

X-Permitted-Cross-Domain-Policies
setPermissionsPolicy() public

Permissions Policy
setReferrerPolicy() public

Referrer-Policy
setXFrameOptions() public

X-Frame-Options
setXssProtection() public

X-XSS-Protection. It's a non standard feature and outdated. For modern browsers use a strong Content-Security-Policy that disables the use of inline JavaScript via 'unsafe-inline' option.

Method Detail

checkValues() ¶ protected

checkValues(string $value, list<string> $allowed): void

Convenience method to check if a value is in the list of allowed args

Parameters

string $value: Value to check
list<string> $allowed: List of allowed values

Returns

void

Throws

InvalidArgumentException
Thrown when a value is invalid.

noOpen() ¶ public

noOpen(): $this

X-Download-Options

Sets the header value for it to 'noopen'

Returns

$this

Links

https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

noSniff() ¶ public

noSniff(): $this

X-Content-Type-Options

Sets the header value for it to 'nosniff'

Returns

$this

Links

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

process() ¶ public

process(ServerRequestInterface $request, RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface

Serve assets if the path matches one.

Processes an incoming server request in order to produce a response. If unable to produce the response itself, it may delegate to the provided request handler to do so.

Parameters

ServerRequestInterface $request: The request.
RequestHandlerInterface $handler: The request handler.

Returns

Psr\Http\Message\ResponseInterface

setCrossDomainPolicy() ¶ public

setCrossDomainPolicy(string $policy = self::ALL): $this

X-Permitted-Cross-Domain-Policies

Parameters

string $policy optional: Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'

Returns

$this

Links

https://web.archive.org/web/20170607190356/https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

setPermissionsPolicy() ¶ public

setPermissionsPolicy(string $policy): $this

Permissions Policy

Parameters

string $policy: Policy value.

Returns

$this

Links

https://developer.mozilla.org/en-US/docs/Web/HTTP/Permissions_Policy

https://www.w3.org/TR/permissions-policy/

setReferrerPolicy() ¶ public

setReferrerPolicy(string $policy = self::SAME_ORIGIN): $this

Referrer-Policy

Parameters

string $policy optional: Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'

Returns

$this

Links

https://w3c.github.io/webappsec-referrer-policy

setXFrameOptions() ¶ public

setXFrameOptions(string $option = self::SAMEORIGIN, string|null $url = null): $this

X-Frame-Options

Parameters

string $option optional: Option value. Available Values: 'deny', 'sameorigin', 'allow-from '
string|null $url optional: URL if mode is allow-from

Returns

$this

Links

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

setXssProtection() ¶ public

setXssProtection(string $mode = self::XSS_BLOCK): $this

X-XSS-Protection. It's a non standard feature and outdated. For modern browsers use a strong Content-Security-Policy that disables the use of inline JavaScript via 'unsafe-inline' option.

Parameters

string $mode optional: Mode value. Available Values: '1', '0', 'block'

Returns

$this

Links

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Property Detail

`$headers` ¶ protected

Security related headers to set

Type

array<string, mixed>

Namespaces

Class SecurityHeadersMiddleware

Constants

Property Summary

Method Summary

checkValues() protected

noOpen() public

noSniff() public

process() public

setCrossDomainPolicy() public

setPermissionsPolicy() public

setReferrerPolicy() public

setXFrameOptions() public

setXssProtection() public

Method Detail

checkValues() ¶ protected

Parameters

Returns

Throws

noOpen() ¶ public

Returns

Links

noSniff() ¶ public

Returns

Links

process() ¶ public

Parameters

Returns

setCrossDomainPolicy() ¶ public

Parameters

Returns

Links

setPermissionsPolicy() ¶ public

Parameters

Returns

Links

setReferrerPolicy() ¶ public

Parameters

Returns

Links

setXFrameOptions() ¶ public

Parameters

Returns

Links

setXssProtection() ¶ public

Parameters

Returns

Links

Property Detail

$headers ¶ protected

Type

`$headers` ¶ protected