Middleware to redirect to https and adds the Strict-Transport-Security header

v1.3.0 2018-10-23 17:09 UTC

README

Latest Version on Packagist Software License Build Status Quality Score Total Downloads SensioLabs Insight

Middleware to redirect to https if the request is http and add the Strict Transport Security header to protect against protocol downgrade attacks and cookie hijacking.

Requirements

Installation

This package is installable and autoloadable via Composer as middlewares/https.

composer require middlewares/https

Example

$dispatcher = new Dispatcher([
	(new Middlewares\Https())
		->includeSubdomains()
]);

$response = $dispatcher->dispatch(new ServerRequest());

API

__construct

Type Required Description
Psr\Http\Message\ResponseFactoryInterface No A PSR-17 factory to create redirect responses. If it's not defined, use Middleware\Utils\Factory to detect it automatically.

maxAge

Changes the value of max-age directive for the Strict-Transport-Security header. By default is 31536000 (1 year).

Type Required Description
int Yes The new value in seconds

includeSubdomains

By default, the includeSubDomains directive is not included in the Strict-Transport-Security header. Use this function to change this behavior.

Type Required Description
bool No true to include the directive, false to don't. By default is true.

preload

By default, the preload directive is not included in the Strict-Transport-Security header. Use this function to change this behavior.

Type Required Description
bool No true to include the directive, false to don't. By default is true.

checkHttpsForward

Enabling this option ignore requests containing the header X-Forwarded-Proto: https or X-Forwarded-Port: 443. This is specially useful if the site is behind a https load balancer.

Type Required Description
bool No true to enable this behavior, false to don't. By default is true.

redirect

This option returns a redirection response from http to https. It's enabled by default.

Type Required Description
bool No true to enable redirections, false to don't. By default is true.

Please see CHANGELOG for more information about recent changes and CONTRIBUTING for contributing details.

The MIT License (MIT). Please see LICENSE for more information.