Download the PHP package altis/browser-security without Composer

On this page you can find all versions of the php package altis/browser-security. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package browser-security

Altis Browser Security

Improve the browser security of your WordPress site.

Built for, and included with, Altis, the WordPress Digital Experience Platform for Enterprise.

Installation

You can use this plugin either directly as a submodule or as a Composer dependency.

Configuration

If you are using this as part of the Altis DXP, configuration is handled via the configuration framework. Consult the Altis security module documentation.

As a standalone plugin, you can use the following constants to change the behaviour of this module:

Features

Subresource Integrity

This plugin automatically adds subresource integrity hashes where possible. These will be generated for any files on the same server; i.e. any plugin or theme assets.

These hashes will be automatically cached in the object cache, linked to the filename and version of the script or stylesheet.

For external assets, you can manually set the integrity hash. After enqueuing (or registering) your asset, use the set_hash_for_script() or set_hash_for_style() helpers:

Content-Security-Policy

This plugin can gather and send Content-Security-Policy policies for you automatically.

Out of the box, no policies are sent. CSP policies tend to be specific to sites, so no assumptions are made about what you may want.

Add a filter to altis.security.browser.content_security_policies to set policies. This filter receives an array, where the keys are the policy directive names. Each item can either be a string or a list of directive value strings:

Special directives ('self', 'unsafe-inline', 'unsafe-eval', 'none', 'strict-dynamic') do not need to be double-quoted.

You can also modify individual directives if desired:

To build Content-Security-Policy policies, we recommend using the Laboratory CSP toolkit extension for Firefox, and the CSP Evaluator tool.

Report-Only Policies

To send a Content-Security-Policy-Report-Only header, use the exact same process described above for the ordinary CSP policies with the alternative filter altis.security.browser.report_only_content_security_policies.

An external service must be used to ingest the reports from Report-Only policies. The external service will provide you with a reporting URL which you can use by adding a report-uri directive with the appropriate URL for processing reports.

As an example, you can add a reporting directive to your Report-Only policies by filtering the policies array:

You can also modify individual directives for use in report-only policies in the same manner described above using the filters,

Both normal and report-only policies may be used simultaneously.

Security Headers

This plugin automatically adds various security headers by default. These follow best-practices for web security and aim to provide a sensible, secure default.

In some cases, you may want to adjust or disable these headers depending on the use cases of your site.

Strict-Transport-Security

The Strict-Transport-Security header (sometimes called HSTS) is used to enforce HTTPS (TLS/SSL) connections when loading a site and can be used to enhance the site's security.

By default, Altis adds a Strict-Transport-Security header if your site is served over HTTPS, with the value set to max-age=86400 (one day). If you want to override this value (such as for longer durations, or to specify includeSubdomains), you can define the ABS_HSTS constant:

To disable the automatic behaviour entirely, set the constant to false:

X-Content-Type-Options

By default, Altis adds a X-Content-Type-Options header with the value set to nosniff. This prevents browsers from attempting to guess the content type based on the content, and instead forces them to follow the type set in the Content-Type header.

This should generally always be sent, and your content type should always be set explicitly. If you need to disable it, set the ABS_NOSNIFF_HEADER constant:

X-Frame-Options

By default, Altis adds a X-Frame-Options header with the value set to sameorigin. This prevents your site from being iframed into another site, which can prevent clickjacking attacks.

This should generally always be sent, but in some cases, you may want to allow specific sites to iframe your site, or allow any sites. To disable the automatic header, set the ABS_FRAME_OPTIONS_HEADER constant:

You can then send your own headers as needed. We recommend hooking into the template_redirect hook to send these headers.

X-XSS-Protection

By default, Altis adds a X-XSS-Protection header with the value set to 1; mode=block. This prevents browsers from loading if they detect cross-site scripting (XSS) attacks.

This should generally always be sent. If you need to disable it, set the ABS_XSS_PROTECTION_HEADER header:

Restrict CORS origins

By default, WordPress will allow REST API requests from any Origin. This plugin adds a new filter altis.security.browser.rest_allow_origin to restrict CORS origins.

To completely disallow external requests, set the filter to false:

To allow specific origins only:

To disallow all .local domains:

License

Altis Browser Security is licensed under the GPLv2 or later. Copyright 2019 Human Made and contributors.


All versions of browser-security with dependencies

PHP Build Version
Package Version
Requires php Version >=7.1
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package altis/browser-security contains the following files

Loading the files please wait ....