SecureHeaders Versions Save

A PHP library aiming to make the use of browser security features more accessible.

v2.0.1

6 years ago

In this bugfix release the following has changed:

Fixed

Fix bug where header with "falsey" value would not be properly set
Ensure strict-dynamic is also opportunistically injected into the report only CSP; add missing options to control this behaviour

v2.0

6 years ago

It's been a long journey, but I'm pleased to finally release SecureHeaders v2.0 🎉

First and foremost, a special thank you to @franzliedke and @lucasmichot for their invaluable efforts that have helped us get here.

If you're completely new, feel free to check out the README, Getting Started, and the full documentation in the Wiki.

[2.0] - 2017-07-16

Here's what we've been up to since v1

Added

You can now easily integrate SecureHeaders with arbitrary frameworks by implementing the HttpAdapter (Aidantwoods\SecureHeaders\Http\HttpAdapter).
Better cookie upgrades: Specifically incorporating theSameSite cookie attribute. SameSite=Lax will be added in alongside the HttpOnly and Secure flags to sensitive looking cookies by default, and will be upgraded to SameSite=Strict if operating in strictMode.
Add a new header by default: The new header being X-Permitted-Cross-Domain-Policies: none. As with other automatic headers, this will be done via a header proposal – so this can be explicitly removed or modified as you prefer if the default is not desired.
Add a new header by default: Referrer-Policy: strict-origin-when-cross-origin with a fallback policy of no-referrer. I've made no-referrer the fallback because is the only policy value (currently) supported by both Chrome and FF which guarantees that the full query string will remain private on cross-origin requests, and that no URL is leaked over the network on insecure requests (to the same origin).
Add a new header by default: Expect-CT: max-age=0. Spec here. This defaults to reporting mode, but will be configurable to operate in enforce mode, or just reporting with some report-uri specified.

I think it's a good idea to initially set Expect-CT: max-age=0 so that (when browsers support it) they will start to warn if the CT requirements are not met (presumably in the browser console). Note that by not including the enforce directive here, browsers will not enforce and only warn – so there's no risk of causing sites downtime if they don't meet the requirements.

Changed

SecureHeaders is now intended to be a composer library, meaning that the single SecureHeaders.php will no longer contain the whole library. However, you may now instead download and include/require the entire library via the SecureHeaders.phar release.
The SecureHeaders class is now namespaced to Aidantwoods\SecureHeaders\SecureHeaders;
Strict Mode now includes injecting the SameSite cookie attribute.
Strict Mode now includes the Expect-CT: max-age=31536000; enforce as a header proposal.
If SecureHeaders throws an exception, it'll only auto-send the headers when emitting that exception if applyOnOutput has been enabled (it is not on by default).

Removed

doneOnOutput and done are now applyOnOutput and apply. These new methods allow custom HttpAdapters to be used (so you can integrate more easily with frameworks), but if you supply no arguements the "global" HttpAdaper will be used (i.e. interact directly with PHPs header() and similar functions).
addHeader has been removed. You should add headers with header() or via your framework now.
correctHeaderName has been removed. Please ensure your header names are correct
PHP 5.3 is no longer supported.

Signed Release

If you are obtaining the .phar signature, my GPG fingerprint is A0EAF427E34F44505F171FB09A6A8EFAA512BBB9, you can obtain my key with:

gpg --recv-keys A0EAF427E34F44505F171FB09A6A8EFAA512BBB9

Additionally, you can verify that I, Aidan Woods am the owner of the @aidantwoods GitHub account, the given GPG key, and various other online identities via the signature chain available at https://keybase.io/aidanwoods/sigchain#6fc6b2061420868891261c72f7094e841fadfb37a577dd83ec5a6147138a9da80f.