This package is not installable via Composer 1.x, please make sure you upgrade to Composer 2+. Read more about our Composer 1.x deprecation policy.

Some useful middleware for silex

1.3 2019-01-11 22:01 UTC

This package is auto-updated.

Last update: 2021-06-12 03:39:50 UTC


A collection of middleware for use with Silex.


composer require ronanchilvers/silex-middleware


Configuration details varies depending on the middleware in use. See the notes below for specifics.

Available Middlewares

Content Security Policy

This middleware allows you to add a Content-Security-Policy header to responses. It uses the paragonie/csp-builder library to build the headers. You can pass your policy as an array as the first constructor argument.

    new Ronanchilvers\Silex\Middleware\ContentSecurityPolicy([
        'default-src' => [
            'self' => true,
            'unsafe-inline' => true,
        'style-src' => [
            'allow' => [
            'self' => true,
            'unsafe-inline' => true,
        'font-src' => [
            'allow' => [
            'self' => true
        'report-only' => true,

Referrer Policy

This middleware adds a Referrer-Policy header to responses. This header has a single policy directive as its value which must be one of:

  • <empty string>
  • no-referrer
  • no-referrer-when-downgrade
  • same-origin
  • origin
  • strict-origin
  • origin-when-cross-origin
  • strict-origin-when-cross-origin
  • unsafe-url

The exact meaning of each of these is explained in this blog post by Scott Helme as well as on the official specification.

// This adds the middleware with a default 'no-referrer' policy
$app->after(new Ronanchilvers\Silex\ReferrerPolicy());

// This specifies the 'strict-origin' policy
$app->after(new Ronanchilvers\Silex\ReferrerPolicy('strict-origin'));

Strict Transport Security

This middleware adds HSTS or Strict Transport Security headers to every response.

// Add with defaults
$app->after(new Ronanchilvers\Silex\Middleware\StrictTransportSecurity());

// Or - set the max-age to 1 day / 86400 seconds
$app->after(new Ronanchilvers\Silex\Middleware\StrictTransportSecurity(86400));

The middleware accepts two constructor arguments:

  • Max age in seconds - defaults to 15552000 seconds or 6 months
  • Include sub domains - defaults to false