Class SecurityHeadersMiddleware

Handles common security headers in a convenient way

Namespace: Cake\Http\Middleware
Link: https://book.cakephp.org/4/en/controllers/middleware.html#security-header-middleware

Constants

  • string
    ALL 
    'all'
  • string
    ALLOW_FROM 
    'allow-from'
  • string
    BY_CONTENT_TYPE 
    'by-content-type'
  • string
    BY_FTP_FILENAME 
    'by-ftp-filename'
  • string
    DENY 
    'deny'
  • string
    MASTER_ONLY 
    'master-only'
  • string
    NONE 
    'none'
  • string
    NOOPEN 
    'noopen'
  • string
    NOSNIFF 
    'nosniff'
  • string
    NO_REFERRER 
    'no-referrer'
  • string
    NO_REFERRER_WHEN_DOWNGRADE 
    'no-referrer-when-downgrade'
  • string
    ORIGIN 
    'origin'
  • string
    ORIGIN_WHEN_CROSS_ORIGIN 
    'origin-when-cross-origin'
  • string
    SAMEORIGIN 
    'sameorigin'
  • string
    SAME_ORIGIN 
    'same-origin'
  • string
    STRICT_ORIGIN 
    'strict-origin'
  • string
    STRICT_ORIGIN_WHEN_CROSS_ORIGIN 
    'strict-origin-when-cross-origin'
  • string
    UNSAFE_URL 
    'unsafe-url'
  • string
    XSS_BLOCK 
    'block'
  • string
    XSS_DISABLED 
    '0'
  • string
    XSS_ENABLED 
    '1'
  • string
    XSS_ENABLED_BLOCK 
    '1; mode=block'

Property Summary

  • $headers protected
    array<string, mixed>

    Security related headers to set

Method Summary

Method Detail

checkValues() protected 

checkValues(string $value, array<string> $allowed): void

Convenience method to check if a value is in the list of allowed args

Parameters

string $value

Value to check

array<string> $allowed

List of allowed values

Returns

void

Throws

InvalidArgumentException
Thrown when a value is invalid.

noOpen() public 

noOpen(): $this

X-Download-Options

Sets the header value for it to 'noopen'

Returns

$this

Links

https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

noSniff() public 

noSniff(): $this

X-Content-Type-Options

Sets the header value for it to 'nosniff'

Returns

$this

Links

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

process() public 

process(ServerRequestInterface $request, RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface

Serve assets if the path matches one.

Processes an incoming server request in order to produce a response. If unable to produce the response itself, it may delegate to the provided request handler to do so.

Parameters

ServerRequestInterface $request

The request.

RequestHandlerInterface $handler

The request handler.

Returns

Psr\Http\Message\ResponseInterface

setCrossDomainPolicy() public 

setCrossDomainPolicy(string $policy = self::ALL): $this

X-Permitted-Cross-Domain-Policies

Parameters

string $policy optional

Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'

Returns

$this

Links

https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

setReferrerPolicy() public 

setReferrerPolicy(string $policy = self::SAME_ORIGIN): $this

Referrer-Policy

Parameters

string $policy optional

Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'

Returns

$this

Links

https://w3c.github.io/webappsec-referrer-policy

setXFrameOptions() public 

setXFrameOptions(string $option = self::SAMEORIGIN, string|null $url = null): $this

X-Frame-Options

Parameters

string $option optional

Option value. Available Values: 'deny', 'sameorigin', 'allow-from '

string|null $url optional

URL if mode is allow-from

Returns

$this

Links

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

setXssProtection() public 

setXssProtection(string $mode = self::XSS_BLOCK): $this

X-XSS-Protection

Parameters

string $mode optional

Mode value. Available Values: '1', '0', 'block'

Returns

$this

Links

https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter

Property Detail

$headers protected

Security related headers to set

Type

array<string, mixed>

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.4/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html