hyperia/yii2-secure-headers

Secure headers for your Yii2 app

Installs: 110 526

Dependents: 0

Suggesters: 0

Security: 0

Stars: 21

Watchers: 3

Forks: 8

Open Issues: 3

Type:yii2-extension

2.3 2024-01-02 17:16 UTC

README

Build Status codecov GitHub license Latest Stable Version

Add security related headers to HTTP response. The package includes extension for easy Yii2 integration.

Installation

The preferred way to install this extension is through composer.

Either run

composer require hyperia/yii2-secure-headers:"^2.0"

or add

"hyperia/yii2-secure-headers": "^2.0"

to the require section of your composer.json.

Configuration (usage)

'bootstrap'  => [..., 'headers'],
'components' => [
    ...
    'headers' => [
        'class' => '\hyperia\security\Headers',
        'upgradeInsecureRequests' => true,
        'blockAllMixedContent' => true,
        'requireSriForScript' => false,
        'requireSriForStyle' => false,
        'xssProtection' => true,
        'contentTypeOptions' => true,
        'strictTransportSecurity' => [
            'max-age' => 10,
            'includeSubDomains' => true,
            'preload' => false
        ],
        'xFrameOptions' => 'DENY',
        'xPoweredBy' => 'Hyperia',
        'referrerPolicy' => 'no-referrer',
        'reportOnlyMode' => false
        'reportUri' => 'https://company.report-uri.com/r/d/csp/enforce',
        'reportTo' => [
            [
                'group' => 'groupName',
                'max_age' => 10886400,
                'endpoints' => [
                    [
                        'name' => 'endpointName',
                        'url' => 'https://example.com',
                        'failures' => 1
                    ]
                ]
            ]
        ]
        'cspDirectives' => [
            'connect-src' => "'self'",
            'font-src' => "'self'",
            'frame-src' => "'self'",
            'img-src' => "'self' data:",
            'manifest-src' => "'self'",
            'object-src' => "'self'",
            'prefetch-src' => false,
            'script-src' => "'self' 'unsafe-inline'",
            'style-src' => "'self' 'unsafe-inline'",
            'media-src' => "'self'",
            'form-action' => "'self'",
            'worker-src' => "'self'",
            'report-to' => 'groupname'
        ],
        // Deprecated. Use Permissions Policy instead.
        'featurePolicyDirectives' => [
            'accelerometer' => "'self'",
            'ambient-light-sensor' => "'self'",
            'autoplay' => "'self'",
            'battery' => "'self'",
            'camera' => "'self'",
            'display-capture' => "'self'",
            'document-domain' => "'self'",
            'encrypted-media' => "'self'",
            'fullscreen' => "'self'",
            'geolocation' => "'self'",
            'gyroscope' => "'self'",
            'layout-animations' => "'self'",
            'magnetometer' => "'self'",
            'microphone' => "'self'",
            'midi' => "'self'",
            'oversized-images' => "'self'",
            'payment' => "'self'",
            'picture-in-picture' => "*",
            'publickey-credentials-get' => "'self'",
            'sync-xhr' => "'self'",
            'usb' => "'self'",
            'wake-lock' => "'self'",
            'xr-spatial-tracking' => "'self'"
        ],
        'permissionsPolicyDirectives' => [
            'accelerometer' => "self",
            'ambient-light-sensor' => "self",
            'autoplay' => "self",
            'battery' => "self",
            'camera' => "self",
            'display-capture' => "self",
            'document-domain' => "self",
            'encrypted-media' => "self",
            'fullscreen' => "self",
            'geolocation' => "self",
            'gyroscope' => "self",
            'layout-animations' => "self",
            'magnetometer' => "self",
            'microphone' => "self",
            'midi' => "self",
            'oversized-images' => "self",
            'payment' => "self",
            'picture-in-picture' => "*",
            'publickey-credentials-get' => "self",
            'sync-xhr' => "self",
            'usb' => "self",
            'wake-lock' => "self",
            'xr-spatial-tracking' => "self"
        ]
    ]
]

Parameter description

Policy

Each header has a reference link in config file, you should read it if you do not know the header. If you want to disable a string type header, just set to null or empty string.

Content Security Policy

We use paragonie/csp-builder to help us support csp header. If you want to disable csp header, set custom-csp to empty string.

Subresource Integrity

If you want to require subresource integrity for style and script sources set requireSriForStyle and requireSriForScript to true

Feature Policy

Deprecated. Use Permissions Policy instead. Feature Policy is being created to allow site owners to enable and disable certain web platform features on their own pages and those they embed. Use same directives as for CSP

Permissions Policy

Permissions Policy is new policy which will replace Feature Policy

Additional Resources

Everything you need to know about HTTP security headers