Handles common security headers in a convenient way
string
ALL
'all'
string
ALLOW_FROM
'allow-from'
string
BY_CONTENT_TYPE
'by-content-type'
string
BY_FTP_FILENAME
'by-ftp-filename'
string
DENY
'deny'
string
MASTER_ONLY
'master-only'
string
NONE
'none'
string
NOOPEN
'noopen'
string
NOSNIFF
'nosniff'
string
NO_REFERRER
'no-referrer'
string
NO_REFERRER_WHEN_DOWNGRADE
'no-referrer-when-downgrade'
string
ORIGIN
'origin'
string
ORIGIN_WHEN_CROSS_ORIGIN
'origin-when-cross-origin'
string
SAMEORIGIN
'sameorigin'
string
SAME_ORIGIN
'same-origin'
string
STRICT_ORIGIN
'strict-origin'
string
STRICT_ORIGIN_WHEN_CROSS_ORIGIN
'strict-origin-when-cross-origin'
string
UNSAFE_URL
'unsafe-url'
string
XSS_BLOCK
'block'
string
XSS_DISABLED
'0'
string
XSS_ENABLED
'1'
string
XSS_ENABLED_BLOCK
'1; mode=block'
$headers
protected array
__invoke( Psr\Http\Message\ServerRequestInterface $request , Psr\Http\Message\ResponseInterface $response , callable $next )
Serve assets if the path matches one.
$request
$response
$next
checkValues( string $value , array $allowed )
Convenience method to check if a value is in the list of allowed args
$value
$allowed
noOpen( )
X-Download-Options
Sets the header value for it to 'noopen'
noSniff( )
X-Content-Type-Options
Sets the header value for it to 'nosniff'
setCrossDomainPolicy( string $policy = self::ALL )
X-Permitted-Cross-Domain-Policies
$policy
optional self::ALL Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
setReferrerPolicy( string $policy = self::SAME_ORIGIN )
Referrer-Policy
$policy
optional self::SAME_ORIGIN Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
setXFrameOptions( string $option = self::SAMEORIGIN , string $url = null )
X-Frame-Options
$option
optional self::SAMEORIGIN $url
optional null allow-from
setXssProtection( string $mode = self::XSS_BLOCK )
X-XSS-Protection
$mode
optional self::XSS_BLOCK
© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/3.8/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html