This document is for CakePHP's development version, which can be significantly different
from previous releases.
You may want to read
current stable release documentation instead.
HTTPS Enforcer Middleware¶
If you want your application to only be available via HTTPS connections you can
use the HttpsEnforcerMiddleware:
use Cake\Http\Middleware\HttpsEnforcerMiddleware;
// Always raise an exception and never redirect.
$https = new HttpsEnforcerMiddleware([
'redirect' => false,
]);
// Send a 302 status code when redirecting
$https = new HttpsEnforcerMiddleware([
'redirect' => true,
'statusCode' => 302,
]);
// Send additional headers in the redirect response.
$https = new HttpsEnforcerMiddleware([
'headers' => ['X-Https-Upgrade' => 1],
]);
// Disable HTTPs enforcement when ``debug`` is on.
$https = new HttpsEnforcerMiddleware([
'disableOnDebug' => true,
]);
// Only trust HTTP_X_ headers from the listed servers.
$https = new HttpsEnforcerMiddleware([
'trustProxies' => ['192.168.1.1'],
]);
If a non-HTTP request is received that does not use GET a BadRequestException will be raised.
Adding Strict-Transport-Security¶
When your application requires SSL it is a good idea to set the
Strict-Transport-Security header. This header value is cached in the
browser, and informs browsers that they should always connect with HTTPS connections.
You can configure this header with the hsts option:
$https = new HttpsEnforcerMiddleware([
'hsts' => [
// How long the header value should be cached for.
'maxAge' => 60 * 60 * 24 * 365,
// should this policy apply to subdomains?
'includeSubDomains' => true,
// Should the header value be cacheable in google's HSTS preload
// service? While not part of the spec it is widely implemented.
'preload' => true,
],
]);
New in version 4.4.0: The hsts option was added.
New in version 4.5.0: The trustedProxies option was added.