middlewares / https
Middleware to redirect to https and adds the Strict-Transport-Security header
Installs: 77 735
Dependents: 4
Suggesters: 0
Security: 0
Stars: 14
Watchers: 2
Forks: 3
Open Issues: 1
Requires
- php: ^7.2 || ^8.0
- middlewares/utils: ^3.0 || ^4.0
- psr/http-server-middleware: ^1.0
Requires (Dev)
- friendsofphp/php-cs-fixer: ^2.0
- laminas/laminas-diactoros: ^2.3
- oscarotero/php-cs-fixer-config: ^1.0
- phpstan/phpstan: ^0.12
- phpunit/phpunit: ^8|^9
- squizlabs/php_codesniffer: ^3.0
README
Middleware to redirect to https if the request is http and add the Strict Transport Security header to protect against protocol downgrade attacks and cookie hijacking.
Requirements
- PHP >= 7.2
- A PSR-7 http library
- A PSR-15 middleware dispatcher
Installation
This package is installable and autoloadable via Composer as middlewares/https.
composer require middlewares/https
Example
$dispatcher = new Dispatcher([ (new Middlewares\Https()) ->includeSubdomains() ]); $response = $dispatcher->dispatch(new ServerRequest());
Usage
This middleware accept a Psr\Http\Message\ResponseFactoryInterface as a constructor argument, to create the redirect responses. If it's not defined, Middleware\Utils\Factory will be used to detect it automatically.
$responseFactory = new MyOwnResponseFactory(); //Detect the response factory automatically $https = new Middlewares\Https(); //Use a specific factory $htts = new Middlewares\Https($responseFactory);
maxAge
This option allow to define the value of max-age directive for the Strict-Transport-Security header. By default is 31536000 (1 year).
$threeYears = 31536000 * 3; $https = (new Middlewares\Https())->maxAge($threeYears);
includeSubdomains
By default, the includeSubDomains directive is not included in the Strict-Transport-Security header. Use this function to change this behavior.
$https = (new Middlewares\Https())->includeSubdomains();
preload
By default, the preload directive is not included in the Strict-Transport-Security header. Use this function to change this behavior.
$https = (new Middlewares\Https())->preload();
checkHttpsForward
Enabling this option ignore requests containing the header X-Forwarded-Proto: https or X-Forwarded-Port: 443. This is specially useful if the site is behind a https load balancer.
$https = (new Middlewares\Https())->checkHttpsForward();
redirect
This option returns a redirection response from http to https. It's enabled by default.
//Disable redirections $https = (new Middlewares\Https())->redirect(false);
Please see CHANGELOG for more information about recent changes and CONTRIBUTING for contributing details.
The MIT License (MIT). Please see LICENSE for more information.