Handles common security headers in a convenient way
string
'all'
string
'allow-from'
string
'by-content-type'
string
'by-ftp-filename'
string
'deny'
string
'master-only'
string
'none'
string
'noopen'
string
'nosniff'
string
'no-referrer'
string
'no-referrer-when-downgrade'
string
'origin'
string
'origin-when-cross-origin'
string
'sameorigin'
string
'same-origin'
string
'strict-origin'
string
'strict-origin-when-cross-origin'
string
'unsafe-url'
string
'block'
string
'0'
string
'1'
string
'1; mode=block'
array<string, mixed>
Security related headers to set
Convenience method to check if a value is in the list of allowed args
X-Download-Options
X-Content-Type-Options
Serve assets if the path matches one.
X-Permitted-Cross-Domain-Policies
Referrer-Policy
X-Frame-Options
X-XSS-Protection
checkValues(string $value, array<string> $allowed): void
Convenience method to check if a value is in the list of allowed args
string
$value Value to check
array<string>
$allowed List of allowed values
void
InvalidArgumentException
noOpen(): $this
X-Download-Options
Sets the header value for it to 'noopen'
$this
noSniff(): $this
X-Content-Type-Options
Sets the header value for it to 'nosniff'
$this
process(ServerRequestInterface $request, RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface
Serve assets if the path matches one.
Processes an incoming server request in order to produce a response. If unable to produce the response itself, it may delegate to the provided request handler to do so.
ServerRequestInterface
$request The request.
RequestHandlerInterface
$handler The request handler.
Psr\Http\Message\ResponseInterface
setCrossDomainPolicy(string $policy = self::ALL): $this
X-Permitted-Cross-Domain-Policies
string
$policy optional Policy value. Available Values: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
$this
setReferrerPolicy(string $policy = self::SAME_ORIGIN): $this
Referrer-Policy
string
$policy optional Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
$this
setXFrameOptions(string $option = self::SAMEORIGIN, string|null $url = null): $this
X-Frame-Options
string
$option optional Option value. Available Values: 'deny', 'sameorigin', 'allow-from
string|null
$url optional URL if mode is allow-from
$this
setXssProtection(string $mode = self::XSS_BLOCK): $this
X-XSS-Protection
string
$mode optional Mode value. Available Values: '1', '0', 'block'
$this
Security related headers to set
array<string, mixed>
© 2005–present The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/4.4/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html