Class SecurityHeadersMiddleware

Handles common security headers in a convenient way

Namespace: Cake\Http\Middleware
Link: https://book.cakephp.org/4/en/controllers/middleware.html#security-header-middleware

Constants

string

ALL
```
'all'
```
string

ALLOW_FROM
```
'allow-from'
```
string

BY_CONTENT_TYPE
```
'by-content-type'
```
string

BY_FTP_FILENAME
```
'by-ftp-filename'
```
string

DENY
```
'deny'
```
string

MASTER_ONLY
```
'master-only'
```
string

NONE
```
'none'
```
string

NOOPEN
```
'noopen'
```
string

NOSNIFF
```
'nosniff'
```
string

NO_REFERRER
```
'no-referrer'
```
string

NO_REFERRER_WHEN_DOWNGRADE
```
'no-referrer-when-downgrade'
```
string

ORIGIN
```
'origin'
```
string

ORIGIN_WHEN_CROSS_ORIGIN
```
'origin-when-cross-origin'
```
string

SAMEORIGIN
```
'sameorigin'
```
string

SAME_ORIGIN
```
'same-origin'
```
string

STRICT_ORIGIN
```
'strict-origin'
```
string

STRICT_ORIGIN_WHEN_CROSS_ORIGIN
```
'strict-origin-when-cross-origin'
```
string

UNSAFE_URL
```
'unsafe-url'
```
string

XSS_BLOCK
```
'block'
```
string

XSS_DISABLED
```
'0'
```
string

XSS_ENABLED
```
'1'
```
string

XSS_ENABLED_BLOCK
```
'1; mode=block'
```

Property Summary

$headers protected

array<string, mixed>

Security related headers to set

Method Summary

checkValues() protected

Convenience method to check if a value is in the list of allowed args
noOpen() public

X-Download-Options
noSniff() public

X-Content-Type-Options
process() public

Serve assets if the path matches one.
setCrossDomainPolicy() public

X-Permitted-Cross-Domain-Policies
setReferrerPolicy() public

Referrer-Policy
setXFrameOptions() public

X-Frame-Options
setXssProtection() public

X-XSS-Protection

Method Detail

checkValues() protected

checkValues(string $value, array<string> $allowed): void

Convenience method to check if a value is in the list of allowed args

Parameters

string $value: Value to check
array<string> $allowed: List of allowed values

Returns

void

Throws

InvalidArgumentException
Thrown when a value is invalid.

noOpen() public

noOpen(): $this

X-Download-Options

Sets the header value for it to 'noopen'

Returns

$this

Links

https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx

noSniff() public

noSniff(): $this

X-Content-Type-Options

Sets the header value for it to 'nosniff'

Returns

$this

Links

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

process() public

process(ServerRequestInterface $request, RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface

Serve assets if the path matches one.

Processes an incoming server request in order to produce a response. If unable to produce the response itself, it may delegate to the provided request handler to do so.

Parameters

ServerRequestInterface $request: The request.
RequestHandlerInterface $handler: The request handler.

Returns

Psr\Http\Message\ResponseInterface

setCrossDomainPolicy() public

setCrossDomainPolicy(string $policy = self::ALL): $this

X-Permitted-Cross-Domain-Policies

Parameters

string $policy optional: Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'

Returns

$this

Links

https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html

setReferrerPolicy() public

setReferrerPolicy(string $policy = self::SAME_ORIGIN): $this

Referrer-Policy

Parameters

string $policy optional: Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'

Returns

$this

Links

https://w3c.github.io/webappsec-referrer-policy

setXFrameOptions() public

setXFrameOptions(string $option = self::SAMEORIGIN, string|null $url = null): $this

X-Frame-Options

Parameters

string $option optional: Option value. Available Values: 'deny', 'sameorigin', 'allow-from '
string|null $url optional: URL if mode is allow-from

Returns

$this

Links

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

setXssProtection() public

setXssProtection(string $mode = self::XSS_BLOCK): $this

X-XSS-Protection

Parameters

string $mode optional: Mode value. Available Values: '1', '0', 'block'

Returns

$this

Links

https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter

Property Detail

`$headers` protected

Security related headers to set

Type

array<string, mixed>

© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.4/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html

Class SecurityHeadersMiddleware

Constants

Property Summary

Method Summary

checkValues() protected

noOpen() public

noSniff() public

process() public

setCrossDomainPolicy() public

setReferrerPolicy() public

setXFrameOptions() public

setXssProtection() public

Method Detail

checkValues() protected

Parameters

Returns

Throws

noOpen() public

Returns

Links

noSniff() public

Returns

Links

process() public

Parameters

Returns

setCrossDomainPolicy() public

Parameters

Returns

Links

setReferrerPolicy() public

Parameters

Returns

Links

setXFrameOptions() public

Parameters

Returns

Links

setXssProtection() public

Parameters

Returns

Links

Property Detail

$headers protected

Type

`$headers` protected