0 follower

Final Class Yiisoft\HttpMiddleware\ForceSecureConnection\ForceSecureConnectionMiddleware

All Classes | Methods | Constants
InheritanceYiisoft\HttpMiddleware\ForceSecureConnection\ForceSecureConnectionMiddleware
ImplementsPsr\Http\Server\MiddlewareInterface

Redirects insecure requests from HTTP to HTTPS and adds headers necessary to enhance the security policy.

Middleware adds an HTTP Strict-Transport-Security (HSTS) header to each response. This header tells the browser that your site works with HTTPS only.

The Content-Security-Policy (CSP) header can force the browser to load page resources only through a secure connection, even if links in the page layout are specified with an unprotected protocol.

Note: Prefer forcing HTTPS via web server in case you aren't creating an installable product such as CMS and aren't hosting the project on a server where you don't have access to web server configuration.

Public Methods

Hide inherited methods

Method Description Defined By
__construct() Yiisoft\HttpMiddleware\ForceSecureConnection\ForceSecureConnectionMiddleware
process() Yiisoft\HttpMiddleware\ForceSecureConnection\ForceSecureConnectionMiddleware

Constants

Hide inherited constants

Constant Value Description Defined By
DEFAULT_CSP_HEADER 'upgrade-insecure-requests; default-src https:' Yiisoft\HttpMiddleware\ForceSecureConnection\ForceSecureConnectionMiddleware

Method Details

Hide inherited methods

__construct() public method

public mixed __construct ( \Psr\Http\Message\ResponseFactoryInterface $responseFactory, Yiisoft\HttpMiddleware\ForceSecureConnection\RedirectOptions $redirectOptions = new RedirectOptions(), string|null $cspHeader self::DEFAULT_CSP_HEADER, Yiisoft\HttpMiddleware\ForceSecureConnection\HstsHeader|null $hstsHeader = new HstsHeader() )
$responseFactory \Psr\Http\Message\ResponseFactoryInterface

The response factory to create responses.
$redirectOptions Yiisoft\HttpMiddleware\ForceSecureConnection\RedirectOptions

The redirect from HTTP to HTTPS options.
$cspHeader string|null

The Content-Security-Policy header to be added to the response.
$hstsHeader Yiisoft\HttpMiddleware\ForceSecureConnection\HstsHeader|null

The Strict-Transport-Security header to be added to the response.

 

                public function __construct(
    private readonly ResponseFactoryInterface $responseFactory,
    private readonly RedirectOptions $redirectOptions = new RedirectOptions(),
    private readonly ?string $cspHeader = self::DEFAULT_CSP_HEADER,
    private readonly ?HstsHeader $hstsHeader = new HstsHeader(),
) {
}
process() public method

public \Psr\Http\Message\ResponseInterface process ( \Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Server\RequestHandlerInterface $handler )
$request \Psr\Http\Message\ServerRequestInterface
$handler \Psr\Http\Server\RequestHandlerInterface 

                public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
    if ($this->shouldRedirect($request)) {
        $response = $this->createRedirectResponse($request);
        return $this->addHsts($response);
    }
    $response = $handler->handle($request);
    $response = $this->addCsp($response);
    return $this->addHsts($response);
}