Security Header Middleware

The SecurityHeaderMiddleware layer allows you to apply security related headers to your application. Once setup the middleware can apply the following headers to responses:

  • X-Content-Type-Options

  • X-Download-Options

  • X-Frame-Options

  • Referrer-Policy

  • Permissions-Policy

This middleware is configured using a fluent interface before it is applied to your application’s middleware stack:

use Cake\Http\Middleware\SecurityHeadersMiddleware;

$securityHeaders = new SecurityHeadersMiddleware();
$securityHeaders
    ->setReferrerPolicy()
    ->setXFrameOptions()
    ->noOpen()
    ->noSniff();

$middlewareQueue->add($securityHeaders);

Here’s a list of common HTTP headers, and the Mozilla recommended settings for securing web applications.