2017 © Pedro Peláez
 

yii2-extension yii2-secure-headers

Secure headers for your Yii2 app

image

hyperia/yii2-secure-headers

Secure headers for your Yii2 app

  • Monday, January 15, 2018
  • by arzzen
  • Repository
  • 1 Watchers
  • 6 Stars
  • 620 Installations
  • PHP
  • 0 Dependents
  • 0 Suggesters
  • 2 Forks
  • 0 Open issues
  • 7 Versions
  • 24 % Grown

The README.md

Yii2 security headers extension

Build Status codecov GitHub license Latest Stable Version, (*1)

Add security related headers to HTTP response. The package includes extension for easy Yii2 integration., (*2)

Installation

The preferred way to install this extension is through composer., (*3)

Either run, (*4)

composer require hyperia/yii2-secure-headers:"^2.0"

or add, (*5)

"hyperia/yii2-secure-headers": "^2.0"

to the require section of your composer.json., (*6)

Configuration (usage)

'bootstrap'  => [..., 'headers'],
'components' => [
    ...
    'headers' => [
        'class' => '\hyperia\security\Headers',
        'upgradeInsecureRequests' => true,
        'blockAllMixedContent' => true,
        'requireSriForScript' => false,
        'requireSriForStyle' => false,
        'xssProtection' => true,
        'contentTypeOptions' => true,
        'strictTransportSecurity' => [
            'max-age' => 10,
            'includeSubDomains' => true,
            'preload' => false
        ],
        'xFrameOptions' => 'DENY',
        'xPoweredBy' => 'Hyperia',
        'referrerPolicy' => 'no-referrer',
        'reportUri' => 'https://company.report-uri.com',
        'cspDirectives' => [
            'connect-src' => "'self'",
            'font-src' => "'self'",
            'frame-src' => "'self'",
            'img-src' => "'self' data:",
            'manifest-src' => "'self'",
            'object-src' => "'self'",
            'prefetch-src' => "'self'",
            'script-src' => "'self' 'unsafe-inline'",
            'style-src' => "'self' 'unsafe-inline'",
            'media-src' => "'self'",
            'form-action' => "'self'",
            'worker-src' => "'self'",
        ],
        'featurePolicyDirectives' => [
            'accelerometer' => "'self'",
            'ambient-light-sensor' => "'self'",
            'autoplay' => "'self'",
            'battery' => "'self'",
            'camera' => "'self'",
            'display-capture' => "'self'",
            'document-domain' => "'self'",
            'encrypted-media' => "'self'",
            'fullscreen' => "'self'",
            'geolocation' => "'self'",
            'gyroscope' => "'self'",
            'layout-animations' => "'self'",
            'magnetometer' => "'self'",
            'microphone' => "'self'",
            'midi' => "'self'",
            'oversized-images' => "'self'",
            'payment' => "'self'",
            'picture-in-picture' => "*",
            'publickey-credentials-get' => "'self'",
            'sync-xhr' => "'self'",
            'usb' => "'self'",
            'wake-lock' => "'self'",
            'xr-spatial-tracking' => "'self'"
        ]
    ]
]

Parameter description

Source Value Example Description
* img-src * Wildcard, allows any URL except data: blob: filesystem: schemes.
'none' object-src 'none' Prevents loading resources from any source.
'self' script-src 'self' Allows loading resources from the same origin (same scheme, host and port).
data: img-src 'self' data: Allows loading resources via the data scheme (eg Base64 encoded images).
domain.example.com img-src domain.example.com Allows loading resources from the specified domain name.
*.example.com img-src *.example.com Allows loading resources from any subdomain under example.com.
https://cdn.com img-src https://cdn.com Allows loading resources only over HTTPS matching the given domain.
https: img-src https: Allows loading resources only over HTTPS on any domain.
'unsafe-inline' script-src 'unsafe-inline' Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to)
'unsafe-eval' script-src 'unsafe-eval' Allows unsafe dynamic code evaluation such as JavaScript eval()

Policy

Each header has a reference link in config file, you should read it if you do not know the header. If you want to disable a string type header, just set to null or empty string., (*7)

Content Security Policy

We use paragonie/csp-builder to help us support csp header. If you want to disable csp header, set custom-csp to empty string., (*8)

Subresource Integrity

If you want to require subresource integrity for style and script sources set requireSriForStyle and requireSriForScript to true, (*9)

Feature Policy

Feature Policy is being created to allow site owners to enable and disable certain web platform features on their own pages and those they embed. Use same directives as for CSP, (*10)

Additional Resources

Everything you need to know about HTTP security headers, (*11)

The Versions

15/01 2018

dev-master

9999999-dev

Secure headers for your Yii2 app

  Sources   Download

MIT

The Requires

 

The Development Requires

by Lukas Hrdlicka

extension yii2 secure headers

24/07 2017

1.1.2

1.1.2.0

Secure headers for your Yii2 app

  Sources   Download

MIT

The Requires

 

The Development Requires

by Lukas Hrdlicka

extension yii2 secure headers

22/07 2017

1.1.1

1.1.1.0

Secure headers for your Yii2 app

  Sources   Download

MIT

The Requires

 

The Development Requires

by Lukas Hrdlicka

extension yii2 secure headers

11/07 2017

1.0.2

1.0.2.0

Secure headers for your Yii2 app

  Sources   Download

The Requires

 

The Development Requires

by Lukas Hrdlicka

extension yii2 secure headers

11/07 2017

1.1.0

1.1.0.0

Secure headers for your Yii2 app

  Sources   Download

The Requires

 

The Development Requires

by Lukas Hrdlicka

extension yii2 secure headers

22/06 2017

1.0.1

1.0.1.0

Secure headers for your Yii2 app

  Sources   Download

The Requires

 

The Development Requires

by Lukas Hrdlicka

extension yii2 secure headers

17/06 2017

1.0.0

1.0.0.0

Secure headers for your Yii2 app

  Sources   Download

The Requires

 

The Development Requires

by Lukas Hrdlicka

extension yii2 secure headers