README

A fully modular, ReactPHP-native re-implementation of Helmet.js. Each security feature is implemented as a separate middleware class, and HelmetMiddleware acts as the aggregator—just like the real Helmet.

✨ Features

• CSP (Content Security Policy)
• Cross-Origin Policies (COOP / COEP / CORP)
• Strict-Transport-Security (HSTS)
• Referrer-Policy
• X-Frame-Options
• X-Content-Type-Options
• X-DNS-Prefetch-Control
• X-Download-Options
• X-Permitted-Cross-Domain-Policies
• X-Powered-By removal
• X-XSS-Protection (disabled by default, following Helmet.js)
• All middleware is async, non-blocking, and designed for ReactPHP HTTP servers

📦 Installation

composer require hasanparasteh/helmet

🚀 Usage with ReactPHP

use HP\Helmet\Middleware\Security\Helmet\HelmetMiddleware;
use HP\Helmet\Http\MiddlewareDispatcher;
use React\Http\HttpServer;
use React\Http\Message\Response;

$helmet = new HelmetMiddleware([
    'contentSecurityPolicy' => [
        'directives' => [
            "default-src" => ["'self'"],
            "script-src"  => ["'self'", "https://cdn.example.com"],
        ]
    ],
    'referrerPolicy' => ['policy' => 'no-referrer'],
    'xPoweredBy' => true
]);

$dispatcher = new MiddlewareDispatcher(
    [$helmet],
    fn() => new Response(200, ['Content-Type' => 'text/plain'], "Hello secure world")
);

$server = new HttpServer($dispatcher);

⚙️ Configuration Options (Full Documentation)

Configuration follows Helmet.js semantics as closely as possible.

1. contentSecurityPolicy

Enable or configure CSP.

Example

'contentSecurityPolicy' => [
    'directives' => [
        "default-src" => ["'self'"],
        "script-src" => ["'self'", "cdn.example.com"],
    ],
    'reportOnly' => false
]

Options

Default CSP Directives

default-src 'self';
base-uri 'self';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data:;
object-src 'none';
script-src 'self';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
upgrade-insecure-requests;

2. crossOriginEmbedderPolicy

Controls resource isolation (COEP).

Example

'crossOriginEmbedderPolicy' => [
    'policy' => 'require-corp'
]

Options

Produces:

Cross-Origin-Embedder-Policy: require-corp

3. crossOriginOpenerPolicy

Isolation protection (COOP).

Example

'crossOriginOpenerPolicy' => [
    'policy' => 'same-origin'
]

Options

Produces:

Cross-Origin-Opener-Policy: same-origin

4. crossOriginResourcePolicy

Restrict which origins can load your resources (CORP).

Example

'crossOriginResourcePolicy' => [
    'policy' => 'same-origin'
]

Options

5. originAgentCluster

Enables browser origin-keyed agent clusters.

Example

'originAgentCluster' => true

Produces:

Origin-Agent-Cluster: ?1

6. referrerPolicy

Example

'referrerPolicy' => [
    'policy' => 'no-referrer'
]

Options

7. strictTransportSecurity / hsts

HSTS config.

Example:

'strictTransportSecurity' => [
    'maxAge' => 31536000,
    'includeSubDomains' => true,
    'preload' => false
]

Options:

Produces:

Strict-Transport-Security: max-age=15552000; includeSubDomains

Aliases:

• hsts
• strictTransportSecurity (Only one allowed—both → error)

8. xContentTypeOptions / noSniff

Control MIME type sniffing.

Examples:

'xContentTypeOptions' => true
// or
'noSniff' => true

Output:

X-Content-Type-Options: nosniff

Alias rules:

• Only one of xContentTypeOptions or noSniff allowed.

9. xDnsPrefetchControl / dnsPrefetchControl

Example:

'dnsPrefetchControl' => ['allow' => false]

Options:

Output:

X-DNS-Prefetch-Control: off

10. xDownloadOptions / ieNoOpen

Prevents file download attacks in IE.

Enable:

'xDownloadOptions' => true

Output:

X-Download-Options: noopen

11. xFrameOptions / frameguard

Example:

'xFrameOptions' => [
    'action' => 'DENY'
]

Options:

Output:

X-Frame-Options: SAMEORIGIN

12. xPermittedCrossDomainPolicies

Example:

'xPermittedCrossDomainPolicies' => [
    'policy' => 'none'
]

Options:

Output:

X-Permitted-Cross-Domain-Policies: none

13. xPoweredBy / hidePoweredBy

True = remove “X-Powered-By”.

Example:

'xPoweredBy' => true

Removes:

X-Powered-By: PHP/8.x

If you disable:

'xPoweredBy' => false

It will NOT remove the header.

14. xXssProtection / xssFilter

Modern Helmet disables this (it's deprecated/broken in browsers).

Example:

'xXssProtection' => true

Always outputs:

X-XSS-Protection: 0

Alias rules same as Helmet.js.

🧩 Full Option Map

🧱 Architecture Overview

HelmetMiddleware
   ↳ ContentSecurityPolicyMiddleware
   ↳ CrossOriginOpenerPolicyMiddleware
   ↳ CrossOriginEmbedderPolicyMiddleware
   ↳ CrossOriginResourcePolicyMiddleware
   ↳ OriginAgentClusterMiddleware
   ↳ ReferrerPolicyMiddleware
   ↳ StrictTransportSecurityMiddleware
   ↳ XContentTypeOptionsMiddleware
   ↳ XDnsPrefetchControlMiddleware
   ↳ XDownloadOptionsMiddleware
   ↳ XFrameOptionsMiddleware
   ↳ XPermittedCrossDomainPoliciesMiddleware
   ↳ XPoweredByMiddleware
   ↳ XXssProtectionMiddleware

Each sub-middleware:

• Accepts (ServerRequestInterface $req, callable $next)
• Returns Promise<ResponseInterface>
• Mutates headers only in the response