Handles common security headers in a convenient way
$headers
protected array
__invoke( Psr\Http\Message\ServerRequestInterface $request , Psr\Http\Message\ResponseInterface $response , callable $next )
Serve assets if the path matches one.
$request
$response
$next
checkValues( string $value , array $allowed )
Convenience method to check if a value is in the list of allowed args
$value
$allowed
noOpen( )
X-Download-Options
Sets the header value for it to 'noopen'
noSniff( )
X-Content-Type-Options
Sets the header value for it to 'nosniff'
setCrossDomainPolicy( string $policy 'all' )
X-Permitted-Cross-Domain-Policies
$policy
optional 'all' setReferrerPolicy( string $policy 'same-origin' )
Referrer-Policy
$policy
optional 'same-origin' Policy value. Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
setXFrameOptions( string $option 'sameorigin' , string $url null )
X-Frame-Options
$option
optional 'sameorigin' $url
optional null allow-from
setXssProtection( string $mode 'block' )
X-XSS-Protection
$mode
optional 'block'
© 2005–2018 The Cake Software Foundation, Inc.
Licensed under the MIT License.
CakePHP is a registered trademark of Cake Software Foundation, Inc.
We are not endorsed by or affiliated with CakePHP.
https://api.cakephp.org/3.5/class-Cake.Http.Middleware.SecurityHeadersMiddleware.html