通过以下方式搜索 
hyperia / yii2-secure-headers
为您的 Yii2 应用程序提供安全头部
2.3
2024-01-02 17:16 UTC
Requires
- php: >=7.2
- yiisoft/yii2: *
Requires (Dev)
README
将安全相关的头部添加到 HTTP 响应中。此软件包包括易于 Yii2 集成的扩展。
安装
安装此扩展的首选方式是通过 composer。
运行以下命令之一:
composer require hyperia/yii2-secure-headers:"^2.0"
或者将以下内容添加到 composer.json 的 require 部分中。
"hyperia/yii2-secure-headers": "^2.0"
配置(使用方法)
'bootstrap' => [..., 'headers'], 'components' => [ ... 'headers' => [ 'class' => '\hyperia\security\Headers', 'upgradeInsecureRequests' => true, 'blockAllMixedContent' => true, 'requireSriForScript' => false, 'requireSriForStyle' => false, 'xssProtection' => true, 'contentTypeOptions' => true, 'strictTransportSecurity' => [ 'max-age' => 10, 'includeSubDomains' => true, 'preload' => false ], 'xFrameOptions' => 'DENY', 'xPoweredBy' => 'Hyperia', 'referrerPolicy' => 'no-referrer', 'reportOnlyMode' => false 'reportUri' => 'https://company.report-uri.com/r/d/csp/enforce', 'reportTo' => [ [ 'group' => 'groupName', 'max_age' => 10886400, 'endpoints' => [ [ 'name' => 'endpointName', 'url' => 'https://example.com', 'failures' => 1 ] ] ] ] 'cspDirectives' => [ 'connect-src' => "'self'", 'font-src' => "'self'", 'frame-src' => "'self'", 'img-src' => "'self' data:", 'manifest-src' => "'self'", 'object-src' => "'self'", 'prefetch-src' => false, 'script-src' => "'self' 'unsafe-inline'", 'style-src' => "'self' 'unsafe-inline'", 'media-src' => "'self'", 'form-action' => "'self'", 'worker-src' => "'self'", 'report-to' => 'groupname' ], // Deprecated. Use Permissions Policy instead. 'featurePolicyDirectives' => [ 'accelerometer' => "'self'", 'ambient-light-sensor' => "'self'", 'autoplay' => "'self'", 'battery' => "'self'", 'camera' => "'self'", 'display-capture' => "'self'", 'document-domain' => "'self'", 'encrypted-media' => "'self'", 'fullscreen' => "'self'", 'geolocation' => "'self'", 'gyroscope' => "'self'", 'layout-animations' => "'self'", 'magnetometer' => "'self'", 'microphone' => "'self'", 'midi' => "'self'", 'oversized-images' => "'self'", 'payment' => "'self'", 'picture-in-picture' => "*", 'publickey-credentials-get' => "'self'", 'sync-xhr' => "'self'", 'usb' => "'self'", 'wake-lock' => "'self'", 'xr-spatial-tracking' => "'self'" ], 'permissionsPolicyDirectives' => [ 'accelerometer' => "self", 'ambient-light-sensor' => "self", 'autoplay' => "self", 'battery' => "self", 'camera' => "self", 'display-capture' => "self", 'document-domain' => "self", 'encrypted-media' => "self", 'fullscreen' => "self", 'geolocation' => "self", 'gyroscope' => "self", 'layout-animations' => "self", 'magnetometer' => "self", 'microphone' => "self", 'midi' => "self", 'oversized-images' => "self", 'payment' => "self", 'picture-in-picture' => "*", 'publickey-credentials-get' => "self", 'sync-xhr' => "self", 'usb' => "self", 'wake-lock' => "self", 'xr-spatial-tracking' => "self" ] ] ]
参数描述
策略
每个头部在配置文件中都有一个参考链接,如果您不了解该头部,请阅读它。如果您想禁用字符串类型的头部,只需将其设置为 null 或空字符串。
内容安全策略
我们使用 paragonie/csp-builder 来帮助我们支持 csp 头部。如果您想禁用 csp 头部,请将 custom-csp 设置为空字符串。
子资源完整性
如果您想要求样式和脚本源的资源完整性,请将 requireSriForStyle 和 requireSriForScript 设置为 true
功能策略
已弃用。请使用权限策略代替。 功能策略旨在允许站点所有者在其自己的页面以及他们嵌入的页面上启用和禁用某些网络平台功能。使用与 CSP 相同的指令。
权限策略
权限策略是一种新策略,将取代功能策略