Docs4dev
Docs
cakephp / 3.7 / class-cake.http.middleware.securityheadersmiddleware.html

Class SecurityHeadersMiddleware

Handles common security headers in a convenient way

Namespace: Cake\Http\Middleware
Link: https://book.cakephp.org/3.0/en/controllers/middleware.html#security-header-middleware
Location: Http/Middleware/SecurityHeadersMiddleware.php

Constants summary

  • string

    ALL
    'all'

  • string

    ALLOW_FROM
    'allow-from'

  • string

    BY_CONTENT_TYPE
    'by-content-type'

  • string

    BY_FTP_FILENAME
    'by-ftp-filename'

  • string

    DENY
    'deny'

  • string

    MASTER_ONLY
    'master-only'

  • string

    NONE
    'none'

  • string

    NOOPEN
    'noopen'

  • string

    NOSNIFF
    'nosniff'

  • string

    NO_REFERRER
    'no-referrer'

  • string

    NO_REFERRER_WHEN_DOWNGRADE
    'no-referrer-when-downgrade'

  • string

    ORIGIN
    'origin'

  • string

    ORIGIN_WHEN_CROSS_ORIGIN
    'origin-when-cross-origin'

  • string

    SAMEORIGIN
    'sameorigin'

  • string

    SAME_ORIGIN
    'same-origin'

  • string

    STRICT_ORIGIN
    'strict-origin'

  • string

    STRICT_ORIGIN_WHEN_CROSS_ORIGIN
    'strict-origin-when-cross-origin'

  • string

    UNSAFE_URL
    'unsafe-url'

  • string

    XSS_BLOCK
    'block'

  • string

    XSS_DISABLED
    '0'

  • string

    XSS_ENABLED
    '1'

  • string

    XSS_ENABLED_BLOCK
    '1; mode=block'

Properties summary

  • $headers protected
    array
    Security related headers to set

Method Summary

Method Detail

__invoke()source public

__invoke( Psr\Http\Message\ServerRequestInterface $request , Psr\Http\Message\ResponseInterface $response , callable $next )

Serve assets if the path matches one.

Parameters

Psr\Http\Message\ServerRequestInterface $request
The request.
Psr\Http\Message\ResponseInterface $response
The response.
callable $next
Callback to invoke the next middleware.

Returns

Psr\Http\Message\ResponseInterface
A response

checkValues()source protected

checkValues( string $value , array $allowed )

Convenience method to check if a value is in the list of allowed args

Parameters

string $value
Value to check
array $allowed
List of allowed values

Throws

InvalidArgumentException
Thrown when a value is invalid.

noOpen()source public

noOpen( )

X-Download-Options

Sets the header value for it to 'noopen'

Returns


$this

Link

https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

noSniff()source public

noSniff( )

X-Content-Type-Options

Sets the header value for it to 'nosniff'

Returns


$this

Link

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

setCrossDomainPolicy()source public

setCrossDomainPolicy( string $policy = self::ALL )

X-Permitted-Cross-Domain-Policies

Parameters

string $policy optional self::ALL

Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'

Returns


$this

Link

https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

setReferrerPolicy()source public

setReferrerPolicy( string $policy = self::SAME_ORIGIN )

Referrer-Policy

Parameters

string $policy optional self::SAME_ORIGIN

Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'

Returns


$this

Link

https://w3c.github.io/webappsec-referrer-policy

setXFrameOptions()source public

setXFrameOptions( string $option = self::SAMEORIGIN , string $url = null )

X-Frame-Options

Parameters

string $option optional self::SAMEORIGIN
Option value. Available Values: 'deny', 'sameorigin', 'allow-from '
string $url optional null
URL if mode is allow-from

Returns


$this

Link

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

setXssProtection()source public

setXssProtection( string $mode = self::XSS_BLOCK )

X-XSS-Protection

Parameters

string $mode optional self::XSS_BLOCK
Mode value. Available Values: '1', '0', 'block'

Returns


$this

Link

https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter

Properties detail

$headerssource

protected array

Security related headers to set

[]

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/3.7/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html