0 follower

Final Class Yiisoft\Yii\Middleware\ForceSecureConnection

All Classes | Methods | Constants
InheritanceYiisoft\Yii\Middleware\ForceSecureConnection
ImplementsPsr\Http\Server\MiddlewareInterface
Deprecated since version Use `ForceSecureConnectionMiddleware` from `yiisoft/http-middleware` package instead.

Redirects insecure requests from HTTP to HTTPS, and adds headers necessary to enhance the security policy.

Middleware adds HTTP Strict-Transport-Security (HSTS) header to each response. The header tells the browser that your site works with HTTPS only.

The Content-Security-Policy (CSP) header can force the browser to load page resources only through a secure connection, even if links in the page layout are specified with an unprotected protocol.

Note: Prefer forcing HTTPS via web server in case you aren't creating installable product such as CMS and aren't hosting the project on a server where you don't have access to web server configuration.

Public Methods

Hide inherited methods

Method Description Defined By
__construct() Yiisoft\Yii\Middleware\ForceSecureConnection
process() Yiisoft\Yii\Middleware\ForceSecureConnection
withCSP() Returns a new instance with added the Content-Security-Policy header to response. Yiisoft\Yii\Middleware\ForceSecureConnection
withHSTS() Returns a new instance with added the Strict-Transport-Security header to response. Yiisoft\Yii\Middleware\ForceSecureConnection
withRedirection() Returns a new instance and enables redirection from HTTP to HTTPS. Yiisoft\Yii\Middleware\ForceSecureConnection
withoutCSP() Returns a new instance without the Content-Security-Policy header in response. Yiisoft\Yii\Middleware\ForceSecureConnection
withoutHSTS() Returns a new instance without the Strict-Transport-Security header in response. Yiisoft\Yii\Middleware\ForceSecureConnection
withoutRedirection() Returns a new instance and disables redirection from HTTP to HTTPS. Yiisoft\Yii\Middleware\ForceSecureConnection

Constants

Hide inherited constants

Constant Value Description Defined By
DEFAULT_CSP_DIRECTIVES 'upgrade-insecure-requests; default-src https:' Yiisoft\Yii\Middleware\ForceSecureConnection
DEFAULT_HSTS_MAX_AGE 31536000 Yiisoft\Yii\Middleware\ForceSecureConnection

Method Details

Hide inherited methods

__construct() public method

public mixed __construct ( \Psr\Http\Message\ResponseFactoryInterface $responseFactory )
$responseFactory \Psr\Http\Message\ResponseFactoryInterface 

                public function __construct(private ResponseFactoryInterface $responseFactory)
{
}
process() public method

public \Psr\Http\Message\ResponseInterface process ( \Psr\Http\Message\ServerRequestInterface $request, \Psr\Http\Server\RequestHandlerInterface $handler )
$request \Psr\Http\Message\ServerRequestInterface
$handler \Psr\Http\Server\RequestHandlerInterface 

                public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
    if ($this->redirect && strcasecmp($request
            ->getUri()
            ->getScheme(), 'http') === 0) {
        $url = (string) $request
            ->getUri()
            ->withScheme('https')
            ->withPort($this->port);
        return $this->addHSTS(
            $this->responseFactory
                ->createResponse($this->statusCode)
                ->withHeader(Header::LOCATION, $url)
        );
    }
    return $this->addHSTS($this->addCSP($handler->handle($request)));
}
withCSP() public method

Returns a new instance with added the Content-Security-Policy header to response.

See also \Yiisoft\Http\Header::CONTENT_SECURITY_POLICY.

public self withCSP ( string $directives self::DEFAULT_CSP_DIRECTIVES )
$directives string

The directives {@see \Yiisoft\Yii\Middleware\DEFAULT_CSP_DIRECTIVES}.

 

                public function withCSP(string $directives = self::DEFAULT_CSP_DIRECTIVES): self
{
    $new = clone $this;
    $new->addCSP = true;
    $new->cspDirectives = $directives;
    return $new;
}
withHSTS() public method

Returns a new instance with added the Strict-Transport-Security header to response.

public self withHSTS ( integer $maxAge self::DEFAULT_HSTS_MAX_AGE, boolean $subDomains false )
$maxAge integer

The max age {@see \Yiisoft\Yii\Middleware\DEFAULT_HSTS_MAX_AGE}.
$subDomains boolean

Whether to add the includeSubDomains option to the header value.

 

                public function withHSTS(int $maxAge = self::DEFAULT_HSTS_MAX_AGE, bool $subDomains = false): self
{
    $new = clone $this;
    $new->addHSTS = true;
    $new->hstsMaxAge = $maxAge;
    $new->hstsSubDomains = $subDomains;
    return $new;
}
withRedirection() public method

Returns a new instance and enables redirection from HTTP to HTTPS.

public self withRedirection ( integer $statusCode Status::MOVED_PERMANENTLY, integer|null $port null )
$statusCode integer

The response status code of redirection.
$port integer|null

The redirection port.

 

                public function withRedirection(int $statusCode = Status::MOVED_PERMANENTLY, ?int $port = null): self
{
    $new = clone $this;
    $new->redirect = true;
    $new->port = $port;
    $new->statusCode = $statusCode;
    return $new;
}
withoutCSP() public method

Returns a new instance without the Content-Security-Policy header in response.

See also withCSP().

public self withoutCSP ( )

                public function withoutCSP(): self
{
    $new = clone $this;
    $new->addCSP = false;
    return $new;
}
withoutHSTS() public method

Returns a new instance without the Strict-Transport-Security header in response.

See also withHSTS().

public self withoutHSTS ( )

                public function withoutHSTS(): self
{
    $new = clone $this;
    $new->addHSTS = false;
    return $new;
}
withoutRedirection() public method

Returns a new instance and disables redirection from HTTP to HTTPS.

See also withRedirection().

public self withoutRedirection ( )

                public function withoutRedirection(): self
{
    $new = clone $this;
    $new->redirect = false;
    return $new;
}