A PHP library aiming to make the use of browser security features more accessible.
It's been a long journey, but I'm pleased to finally release SecureHeaders v2.0
🎉
First and foremost, a special thank you to @franzliedke and @lucasmichot for their invaluable efforts that have helped us get here.
If you're completely new, feel free to check out the README, Getting Started, and the full documentation in the Wiki.
Here's what we've been up to since v1
You can now easily integrate SecureHeaders with arbitrary frameworks by
implementing the HttpAdapter (Aidantwoods\SecureHeaders\Http\HttpAdapter
).
Better cookie upgrades:
Specifically incorporating theSameSite
cookie attribute. SameSite=Lax
will be added in alongside the
HttpOnly
and Secure
flags to sensitive looking cookies by default, and will
be upgraded to SameSite=Strict
if operating in
strictMode
.
Add a new header by default:
The new header being X-Permitted-Cross-Domain-Policies: none
.
As with other automatic headers, this will be done via a
header proposal
– so this can be explicitly removed or modified as you prefer if the default
is not desired.
Add a new header by default:
Referrer-Policy: strict-origin-when-cross-origin
with a fallback policy of
no-referrer
.
I've made no-referrer
the fallback because is the only policy value
(currently) supported by both Chrome and FF which guarantees that the full
query string will remain private on cross-origin requests, and that no URL is
leaked over the network on insecure requests (to the same origin).
Add a new header by default: Expect-CT: max-age=0
.
Spec here.
This defaults to reporting mode, but will be configurable to operate in
enforce mode, or just reporting with some report-uri
specified.
I think it's a good idea to initially set Expect-CT: max-age=0
so that
(when browsers support it) they will start to warn if the CT requirements
are not met (presumably in the browser console). Note that by not including
the enforce
directive here, browsers will not enforce and only warn – so
there's no risk of causing sites downtime if they don't meet the requirements.
SecureHeaders is now intended to be a composer library, meaning that the
single SecureHeaders.php
will no longer contain the whole library. However,
you may now instead download and include/require the entire library via
the SecureHeaders.phar
release.
The SecureHeaders class is now namespaced to
Aidantwoods\SecureHeaders\SecureHeaders;
Strict Mode now includes injecting the SameSite
cookie attribute.
Strict Mode now includes the Expect-CT: max-age=31536000; enforce
as a header proposal.
If SecureHeaders throws an exception, it'll only auto-send the headers when
emitting that exception if applyOnOutput
has been enabled (it is not on
by default).
doneOnOutput
and done
are now applyOnOutput
and apply
. These new
methods allow custom HttpAdapters to be used (so you can integrate more
easily with frameworks), but if you supply no arguements the "global"
HttpAdaper will be used (i.e. interact directly with PHPs header()
and
similar functions).
addHeader
has been removed. You should add headers with header()
or via
your framework now.
correctHeaderName
has been removed. Please ensure your header names are
correct
PHP 5.3 is no longer supported.
If you are obtaining the .phar
signature, my GPG fingerprint is A0EAF427E34F44505F171FB09A6A8EFAA512BBB9
, you can obtain my key with:
gpg --recv-keys A0EAF427E34F44505F171FB09A6A8EFAA512BBB9
Additionally, you can verify that I, Aidan Woods am the owner of the @aidantwoods GitHub account, the given GPG key, and various other online identities via the signature chain available at https://keybase.io/aidanwoods/sigchain#6fc6b2061420868891261c72f7094e841fadfb37a577dd83ec5a6147138a9da80f.
This version is non backwards compatible (sorry!)
Hopefully a good change though: naming scheme has changed from under_scores to the community prefered camelCase for method names.
There are no functionality changes – so you just need to change the naming scheme to adjust.
SecureHeaders is now a composer package on packagist.
So installation should be nice and easy now!
v1.0.1 contains a naming related bugfix
This version is non backwards compatible (sorry!)
Hopefully a good change though: naming scheme has changed from under_scores to the community prefered camelCase for method names.
There are no functionality changes – so you just need to change the naming scheme to adjust.
SecureHeaders is now a composer package on packagist.
So installation should be nice and easy now!
Feedback welcome.
Feedback welcome.
Feedback welcome.