Documentation

SecurityHeaders
in package

Handles HTTP security headers for the application.

Security headers protect against:

  • XSS attacks (Content-Security-Policy)
  • Clickjacking (X-Frame-Options)
  • MIME type sniffing (X-Content-Type-Options)
  • Protocol downgrade attacks (Strict-Transport-Security)
Tags
category

Lwt

author

HugoFara hugo.farajallah@protonmail.com

license

Unlicense http://unlicense.org/

link
https://hugofara.github.io/lwt/docs/php/
since
3.0.0

Table of Contents

Properties

$headersSent  : bool
Whether headers have already been sent by this class.

Methods

reset()  : void
Reset the headers sent flag (mainly for testing).
send()  : void
Send all security headers.
sendContentSecurityPolicy()  : void
Send Content-Security-Policy header.
sendPermissionsPolicy()  : void
Send Permissions-Policy header.
sendReferrerPolicy()  : void
Send Referrer-Policy header.
sendStrictTransportSecurity()  : void
Send Strict-Transport-Security header.
sendXContentTypeOptions()  : void
Send X-Content-Type-Options header.
sendXFrameOptions()  : void
Send X-Frame-Options header.
buildMediaSrcDirective()  : string
Build the media-src CSP directive based on configuration.
isSecureConnection()  : bool
Check if the current connection is secure (HTTPS).
isValidCspSource()  : bool
Validate a CSP source value.

Properties

$headersSent

Whether headers have already been sent by this class.

private static bool $headersSent = false

Methods

reset()

Reset the headers sent flag (mainly for testing).

public static reset() : void

send()

Send all security headers.

public static send() : void

Safe to call multiple times - headers are only sent once.

sendContentSecurityPolicy()

Send Content-Security-Policy header.

public static sendContentSecurityPolicy() : void

Restricts which resources can be loaded, providing strong XSS protection.

Current policy:

  • Scripts: self only (no inline scripts - all JS in external files)
  • Styles: self + unsafe-inline (needed for inline styles and dynamic styling)
  • Images: self + data: (for inline images) + blob: (for generated content)
  • Fonts: self
  • Connect: self + api.github.com (for release checks)
  • Media: configurable via CSP_MEDIA_SOURCES env var (default: self + blob)
  • Frame ancestors: self (alternative to X-Frame-Options)

sendPermissionsPolicy()

Send Permissions-Policy header.

public static sendPermissionsPolicy() : void

Restricts which browser features can be used. Disables features not needed by the application.

sendReferrerPolicy()

Send Referrer-Policy header.

public static sendReferrerPolicy() : void

Controls how much referrer information is sent with requests. 'strict-origin-when-cross-origin' sends:

  • Full URL for same-origin requests
  • Origin only for cross-origin HTTPS→HTTPS
  • Nothing for HTTPS→HTTP (prevents leaking URLs to insecure sites)

sendStrictTransportSecurity()

Send Strict-Transport-Security header.

public static sendStrictTransportSecurity() : void

Tells browsers to always use HTTPS for this domain. Only sent when the current connection is already HTTPS.

sendXContentTypeOptions()

Send X-Content-Type-Options header.

public static sendXContentTypeOptions() : void

Prevents browsers from MIME-type sniffing, which could allow attackers to execute code by uploading files with misleading extensions.

sendXFrameOptions()

Send X-Frame-Options header.

public static sendXFrameOptions() : void

Prevents the page from being embedded in iframes on other sites, protecting against clickjacking attacks.

buildMediaSrcDirective()

Build the media-src CSP directive based on configuration.

private static buildMediaSrcDirective() : string

Reads CSP_MEDIA_SOURCES from environment:

  • "self" (default): Only allow media from same origin
  • "https": Allow any HTTPS source
  • Comma-separated domains: Allow specific domains

Always includes 'self' and 'blob:' for local files and TTS.

Return values
string

The complete media-src directive

isSecureConnection()

Check if the current connection is secure (HTTPS).

private static isSecureConnection() : bool
Return values
bool

True if connection is over HTTPS

isValidCspSource()

Validate a CSP source value.

private static isValidCspSource(string $source) : bool

Accepts:

  • https://domain.com or https://domain.com:port
  • http://domain.com (allowed but not recommended)
  • *.domain.com wildcards
Parameters
$source : string

The source to validate

Return values
bool

True if valid CSP source


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results