Class SecurityHeadersMiddleware
Handles common security headers in a convenient way
Link: https://book.cakephp.org/3.0/en/controllers/middleware.html#security-header-middleware
Location: Http/Middleware/SecurityHeadersMiddleware.php
Constants summary
-
string
'all'
-
string
'allow-from'
-
string
'by-content-type'
-
string
'by-ftp-filename'
-
string
'deny'
-
string
'master-only'
-
string
'none'
-
string
'noopen'
-
string
'nosniff'
-
string
'no-referrer'
-
string
'no-referrer-when-downgrade'
-
string
'origin'
-
string
'origin-when-cross-origin'
-
string
'sameorigin'
-
string
'same-origin'
-
string
'strict-origin'
-
string
'strict-origin-when-cross-origin'
-
string
'unsafe-url'
-
string
'block'
-
string
'0'
-
string
'1'
-
string
'1; mode=block'
Properties summary
-
$headers
protectedarray
Security related headers to set
Method Summary
-
__invoke() public
Serve assets if the path matches one. -
checkValues() protected
Convenience method to check if a value is in the list of allowed args -
noOpen() public
X-Download-Options -
noSniff() public
X-Content-Type-Options -
setCrossDomainPolicy() public
X-Permitted-Cross-Domain-Policies -
setReferrerPolicy() public
Referrer-Policy -
setXFrameOptions() public
X-Frame-Options -
setXssProtection() public
X-XSS-Protection
Method Detail
__invoke() public ¶
__invoke( Psr\Http\Message\ServerRequestInterface $request , Psr\Http\Message\ResponseInterface $response , callable $next )
Serve assets if the path matches one.
Parameters
- Psr\Http\Message\ServerRequestInterface $request
- The request.
- Psr\Http\Message\ResponseInterface $response
- The response.
- callable $next
- Callback to invoke the next middleware.
Returns
A response
checkValues() protected ¶
checkValues( string $value , array $allowed )
Convenience method to check if a value is in the list of allowed args
Parameters
- string $value
- Value to check
- array $allowed
- List of allowed values
Throws
Thrown when a value is invalid.
noOpen() public ¶
noOpen( )
X-Download-Options
Sets the header value for it to 'noopen'
Returns
$this
Link
noSniff() public ¶
noSniff( )
X-Content-Type-Options
Sets the header value for it to 'nosniff'
Returns
$this
Link
setCrossDomainPolicy() public ¶
setCrossDomainPolicy( string $policy self::ALL )
X-Permitted-Cross-Domain-Policies
Parameters
- string $policy optional self::ALL
Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
Returns
$this
Link
setReferrerPolicy() public ¶
setReferrerPolicy( string $policy self::SAME_ORIGIN )
Referrer-Policy
Parameters
- string $policy optional self::SAME_ORIGIN
Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
Returns
$this
Link
setXFrameOptions() public ¶
setXFrameOptions( string $option self::SAMEORIGIN , string $url null )
X-Frame-Options
Parameters
- string $option optional self::SAMEORIGIN
- Option value. Available Values: 'deny', 'sameorigin', 'allow-from
' - string $url optional null
- URL if mode is
allow-from
Returns
$this
Link
setXssProtection() public ¶
setXssProtection( string $mode self::XSS_BLOCK )
X-XSS-Protection
Parameters
- string $mode optional self::XSS_BLOCK
- Mode value. Available Values: '1', '0', 'block'
Returns
$this