Signify\Middleware\SecurityHeaderMiddleware
Synopsis
class SecurityHeaderMiddleware
implements
HTTPMiddleware
{
- // members
- private static array $headers = ;
- private static boolean $enable_reporting = true;
- private static string $report_uri = 'cspviolations/report';
- private static boolean $use_report_to = false;
- private static boolean $report_to_subdomains = false;
- private static string $report_to_group = 'signify-csp-violation';
- private static boolean $is_csp_reporting_safe = false;
- // methods
- public void process()
- public boolean hasCSP()
- public boolean isReporting()
- public boolean isCSPReportingOnly()
- protected void getReportURI()
- protected void getIncludeSubdomains()
- protected void getReportToGroup()
- protected void getReportURIDirective()
- protected void getReportToDirective()
- protected void addReportToHeader()
- protected void getReportToHeader()
- protected void updateCspHeader()
- private static boolean isCSPReportingAvailable()
Hierarchy
Uses
- SilverStripe\Core\Config\Configurable
- SilverStripe\Core\Extensible
Implements
- SilverStripe\Control\Middleware\HTTPMiddleware
Members
private
- $enable_reporting
—
string
Whether to automatically add the CMS report endpoint to the CSP config. - $headers
—
array
An array of HTTP headers. - $is_csp_reporting_safe
—
boolean
Can isCSPReportingOnly be used safely. - $report_to_group
—
string
The group name for the report-to CSP directive. - $report_to_subdomains
—
string
Whether subdomains should report to the same endpoint. - $report_uri
—
string
The URI to report CSP violations to. - $use_report_to
—
string
Whether to use the report-to header and CSP directive.
Methods
private
- isCSPReportingAvailable() — Is the CSPReportingOnly field safe to read.
protected
- addReportToHeader()
- getIncludeSubdomains()
- getReportToDirective()
- getReportToGroup()
- getReportToHeader()
- getReportURI()
- getReportURIDirective()
- updateCspHeader()
public
- hasCSP() — Return true if the Disable CSP is unchecked
- isCSPReportingOnly() — Returns true if the Content-Security-Policy-Report-Only header should be used.
- isReporting() — Return true if the Disable reporting is unchecked
- process()