snicco / open-redirect-protection-middleware
Requires
- php: ^7.4|^8.0
- snicco/http-routing: ^1.10
- snicco/str-arr: ^1.10
Requires (Dev)
- phpunit/phpunit: ^9.5.13
- snicco/http-routing-testing: ^1.10
Conflicts
- snicco/better-wp-api: <1.10.0
- snicco/better-wp-cache: <1.10.0
- snicco/better-wp-cache-bundle: <1.10.0
- snicco/better-wp-cli: <1.10.0
- snicco/better-wp-cli-testing: <1.10.0
- snicco/better-wp-hooks: <1.10.0
- snicco/better-wp-hooks-bundle: <1.10.0
- snicco/better-wp-mail: <1.10.0
- snicco/better-wp-mail-bundle: <1.10.0
- snicco/better-wp-mail-testing: <1.10.0
- snicco/better-wpdb: <1.10.0
- snicco/better-wpdb-bundle: <1.10.0
- snicco/blade-bridge: <1.10.0
- snicco/blade-bundle: <1.10.0
- snicco/content-negotiation-middleware: <1.10.0
- snicco/debug-bundle: <1.10.0
- snicco/default-headers-middleware: <1.10.0
- snicco/eloquent: <1.10.0
- snicco/encryption-bundle: <1.10.0
- snicco/event-dispatcher: <1.10.0
- snicco/event-dispatcher-testing: <1.10.0
- snicco/guests-only-middleware: <1.0.0
- snicco/http-routing-bundle: <1.10.0
- snicco/http-routing-testing: <1.10.0
- snicco/https-only-middleware: <1.10.0
- snicco/illuminate-container-bridge: <1.10.0
- snicco/kernel: <1.10.0
- snicco/kernel-testing: <1.10.0
- snicco/method-override-middleware: <1.10.0
- snicco/minimal-logger: <1.10.0
- snicco/must-match-route-middleware: <1.10.0
- snicco/no-robots-middleware: <1.10.0
- snicco/payload-middleware: <1.10.0
- snicco/pimple-bridge: <1.10.0
- snicco/psr7-error-handler: <1.10.0
- snicco/redirect-middleware: <1.10.0
- snicco/session: <1.10.0
- snicco/session-bundle: <1.10.0
- snicco/session-psr16-bridge: <1.10.0
- snicco/session-testing: <1.10.0
- snicco/session-wp-bridge: <1.10.0
- snicco/share-cookies-middleware: <1.10.0
- snicco/signed-url: <1.10.0
- snicco/signed-url-psr15-bridge: <1.10.0
- snicco/signed-url-psr16-bridge: <1.10.0
- snicco/signed-url-testing: <1.10.0
- snicco/signed-url-wp-bridge: <1.10.0
- snicco/templating: <1.10.0
- snicco/templating-bundle: <1.10.0
- snicco/testable-clock: <1.10.0
- snicco/testing-bundle: <1.10.0
- snicco/trailing-slash-middleware: <1.10.0
- snicco/wp-auth-only-middleware: <1.10.0
- snicco/wp-capability-middleware: <1.10.0
- snicco/wp-capapility-middleware: <1.0.0
- snicco/wp-guests-only-middleware: <1.10.0
- snicco/wp-nonce-middleware: <1.10.0
README
This middleware protects your application against open redirects.
It inspects the location header of the response and disallows any redirects to non-whitelisted
external hosts.
Instead, the user will be redirected to the configured "exit" page.
The intended redirect location will be available in a intented_redirect query variable.
Installation
composer require snicco/open-redirect-protection-middleware
Usage
This middleware should be added globally in the MiddlewareResolver.
The OpenRedirectProtection middleware must be bound in the PSR-11 container
that is used by the snicco/http-routing component.
use Snicco\Middleware\OpenRedirectProtection\OpenRedirectProtection; // In your PSR-11 container. $open_redirect_protection = new OpenRedirectProtection( 'snicco.io', // the host of your application '/exit', // the page path [ 'stripe.com', 'accounts.stripe.com' ] // Whitelisted domains. )
Contributing
This repository is a read-only split of the development repo of the Snicco project.
This is how you can contribute.
Reporting issues and sending pull requests
Please report issues in the Snicco monorepo.
Security
If you discover a security vulnerability, please follow our disclosure procedure.