PHP code example of bicf / yii2-security-headers
1. Go to this page and download the library: Download bicf/yii2-security-headers library . Choose the download type require .
2. Extract the ZIP file and open the index.php.
3. Add this code to the index.php.
<?php
require_once('vendor/autoload.php');
/* Start to develop here. Best regards https://php-download.com/ */
bicf / yii2-security-headers example snippets
[
'bootstrap'=>[
'securityHeader',
],
'modules' => [
'securityHeader' => [
'class' => bicf\securityheaders\Module::class,
'modules' => [
'XContentTypeOptions'=>[
'class' => 'bicf\securityheaders\modules\HeaderXContentTypeOptions',
'value' => 'nosniff',
],
'XFrameOptions'=>[
'class' => 'bicf\securityheaders\modules\HeaderXFrameOptions',
'value' => 'SAMEORIGIN',
],
'AccessControlAllowMethods'=>[
'class' => 'bicf\securityheaders\modules\HeaderAccessControlAllowMethods',
'value' => 'GET',
],
'AccessControlAllowOrigin'=>[
'class' => 'bicf\securityheaders\modules\HeaderAccessControlAllowOrigin',
'value' => 'https://api.example.com',
],
'ContentSecurityPolicyAcl'=>[
'class' => 'bicf\securityheaders\modules\HeaderContentSecurityPolicyAcl',
'enabled' => false,
'policies' => [
'default-src' => "'self'",
'frame-src' => "'self' www.facebook.com www.youtube.com www.google.com",
'img-src' => "'self' www.google-analytics.com",
'font-src' => "'self' fonts.gstatic.com maxcdn.bootstrapcdn.com",
'media-src' => "'self'",
'script-src' => "'self' www.google-analytics.com",
'style-src' => "'self' maxcdn.bootstrapcdn.com",
'connect-src' => "'self'",
'report-uri' => "/report-csp-acl",
],
],
'ContentSecurityPolicyMonitor'=>[
'class' => 'bicf\securityheaders\modules\HeaderContentSecurityPolicyMonitor',
'policies' => [
'default-src' => "'self'",
'frame-src' => "'self' www.facebook.com www.youtube.com www.google.com",
'img-src' => "'self' www.google-analytics.com",
'font-src' => "'self' fonts.gstatic.com maxcdn.bootstrapcdn.com",
'media-src' => "'self'",
'script-src' => "'self' www.google-analytics.com",
'style-src' => "'self' maxcdn.bootstrapcdn.com",
'connect-src' => "'self'",
'report-uri' => "/report-csp-acl",
],
],
],
],
],
'components' => [
// components stuff
// no need to add anything
],
]
'style-src' => "'sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=' 'sha256-6fwFCXmgb6H4XQGajtDSVG3YuKmX3dT1NkX4+z510Og=' 'sha256-ZdHxw9eWtnxUb3mk6tBS+gIiVUPE3pGM470keHPDFlE='",
public static function script($content, $options = [])
{
if(Yii::$app->response instanceof SecureRequestInterface){
$behavior = Yii::$app->response->getBehavior(SecureRequestInterface::CSP_NONCE_BEHAVIOR);
if($behavior != null){
$options = array_merge(Yii::$app->response->getContentSecurityPolicyTokenArray(),$options );
}
}
return static::tag('script', $content, $options);
}
public static function jsFile($url, $options = [])
{
$options['src'] = Url::to($url);
if (isset($options['condition'])) {
$condition = $options['condition'];
unset($options['condition']);
return self::wrapIntoCondition(static::tag('script', '', $options), $condition);
}
if(Yii::$app->response instanceof SecureRequestInterface){
$behavior = Yii::$app->response->getBehavior('cspBehavior');
if($behavior != null){
$options = array_merge(Yii::$app->response->getContentSecurityPolicyTokenArray(),$options );
}
}
return static::tag('script', '', $options);
}
public static function jsFile($url, $options = [])
{
$options['src'] = Url::to($url);
if (isset($options['condition'])) {
$condition = $options['condition'];
unset($options['condition']);
return self::wrapIntoCondition(static::tag('script', '', $options), $condition);
}
return static::script('', $options);
}
/**
* Renders mini-toolbar at the end of page body.
*
* @param \yii\base\Event $event
*/
public function renderToolbar($event)
{
if (!$this->checkAccess() || Yii::$app->getRequest()->getIsAjax()) {
return;
}
/* @var $view View */
$view = $event->sender;
echo $view->renderDynamic('return Yii::$app->getModule("' . $this->id . '")->getToolbarHtml();');
// echo is used in order to support cases where asset manager is not available
echo '<style>' . $view->renderPhpFile(__DIR__ . '/assets/toolbar.css') . '</style>';
echo '<script '.Yii::$app->response->getContentSecurityPolicyTokenAttribute().'>' . $view->renderPhpFile(__DIR__ . '/assets/toolbar.js') . '</script>';
}
echo '<script '.Yii::$app->response->getContentSecurityPolicyTokenAttribute().'>' . $view->renderPhpFile(__DIR__ . '/assets/toolbar.js') . '</script>';
public function actionIndex() {
Yii::$app->getResponse()->modules['sample-module']->enabled=false;
return $this->render("index");
}
[
'components' => [
'response' => [
'class' => 'bicf\securityheaders\components\Response',
'on afterPrepare' => ['bicf\securityheaders\components\Response','addSecurityHeaders'],
'modules' => [
'XContentTypeOptions'=>[
'class' => 'bicf\securityheaders\modules\HeaderXContentTypeOptions',
'value' => 'nosniff',
],
'AccessControlAllowMethods'=>[
'class' => 'bicf\securityheaders\modules\HeaderAccessControlAllowMethods2',
'value' => 'GET',
],
'AccessControlAllowOrigin'=>[
'class' => 'bicf\securityheaders\modules\HeaderAccessControlAllowOrigin',
'value' => 'https://api.example.com',
],
'ContentSecurityPolicyAcl'=>[
'class' => 'bicf\securityheaders\modules\HeaderContentSecurityPolicyAcl',
'enabled' => false,
'policies' => [
'default-src' => "'self'",
'frame-src' => "'self' www.facebook.com www.youtube.com www.google.com",
'img-src' => "'self' www.google-analytics.com",
'font-src' => "'self' fonts.gstatic.com maxcdn.bootstrapcdn.com",
'media-src' => "'self'",
'script-src' => "'self' www.google-analytics.com",
'style-src' => "'self' maxcdn.bootstrapcdn.com",
'connect-src' => "'self'",
'report-uri' => "/report-csp-acl",
],
],
'ContentSecurityPolicyMonitor'=>[
'class' => 'bicf\securityheaders\modules\HeaderContentSecurityPolicyMonitor',
'policies' => [
'default-src' => "'self'",
'frame-src' => "'self' www.facebook.com www.youtube.com www.google.com",
'img-src' => "'self' www.google-analytics.com",
'font-src' => "'self' fonts.gstatic.com maxcdn.bootstrapcdn.com",
'media-src' => "'self'",
'script-src' => "'self' www.google-analytics.com",
'style-src' => "'self' maxcdn.bootstrapcdn.com",
'connect-src' => "'self'",
'report-uri' => "/report-csp-acl",
],
],
],
],
],
]
html
<script <?= Yii::$app->response->getContentSecurityPolicyTokenAttribute();