通过 
搜索
搜索virdiggg / header-ci3
CodeIgniter 3 的 HTTP 头部
1.0.3
2023-12-04 04:39 UTC
Requires
- php: >=5.6.0
README
这是为 CodeIgniter 3/PHP 定制的 helmetjs/helmet。
如何使用
- 使用 composer 安装此库
composer require virdiggg/header-ci3
- 在您的
application/config/config.php中加载此库,或者如果您不想在您的整个网站上加载它,可以创建一个控制器。例如application/controller/App.php
<?php defined('BASEPATH') or exit('No direct script access allowed');
use Virdiggg\HeaderCi3\Headers;
class App extends CI_Controller
{
private $headers;
public function __construct()
{
parent::__construct();
}
public function testing1()
{
$this->headers = new Headers();
$this->headers->setHeaders();
return;
}
public function testing2()
{
$this->headers = new Headers();
$this->headers->setContentSecurityPolicy(["default-src 'self'"]);
$this->headers->setHeaders();
echo 1;
return;
}
public function testing3()
{
$this->headers = new Headers();
$this->headers->setXDNSPrefetchControl('on');
$this->headers->setHeaders();
echo 1;
return;
}
public function test_header()
{
$this->headers = new Headers();
echo 1;
return;
}
public function test_no_header()
{
echo 1;
return;
}
}
- 然后在 cmd 中 CURL 您的网站
curl -I https:///codeigniter/app/test_header/
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2023 00:00:00 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1q PHP/8.1.10
Content-Type: text/html; charset=UTF-8
curl -I https:///codeigniter/app/test_no_header/
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2023 00:00:00 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1q PHP/8.1.10
X-Powered-By: PHP/8.1.10
Content-Type: text/html; charset=UTF-8
curl -I https:///codeigniter/app/testing1/
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2023 00:00:00 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1q PHP/8.1.10
Content-Security-Policy: default-src 'self' base-uri 'self' font-src 'self' https: data: form-action 'self' frame-ancestors 'self' img-src 'self' data: object-src 'none' script-src 'self' script-src-attr 'none' style-src 'self' https: 'unsafe-inline' upgrade-insecure-requests
'unsafe-inline' *.gstatic.com *.googleapis.com *.jquery.com *.jsdelivr.net
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
Permissions-Policy: fullscreen=(self), geolocation=(self), camera=(self)
Strict-Transport-Security: max-age=15552000; includeSubDomains
Content-Type: text/html; charset=UTF-8
curl -I https:///codeigniter/app/testing2/
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2023 00:00:00 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1q PHP/8.1.10
Content-Security-Policy: default-src 'self'
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
Permissions-Policy: fullscreen=(self), geolocation=(self), camera=(self)
Strict-Transport-Security: max-age=15552000; includeSubDomains
Content-Type: text/html; charset=UTF-8
curl -I https:///codeigniter/app/testing3/
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2023 00:00:00 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1q PHP/8.1.10
Content-Security-Policy: default-src 'self' base-uri 'self' font-src 'self' https: data: form-action 'self' frame-ancestors 'self' img-src 'self' data: object-src 'none' script-src 'self' script-src-attr 'none' style-src 'self' https: 'unsafe-inline' upgrade-insecure-requests
'unsafe-inline' *.gstatic.com *.googleapis.com *.jquery.com *.jsdelivr.net
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: on
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
Permissions-Policy: fullscreen=(self), geolocation=(self), camera=(self)
Strict-Transport-Security: max-age=15552000; includeSubDomains
Content-Type: text/html; charset=UTF-8
说明
- 加载此库后,
X-Powered-By头部将始终被移除。 - 这将使用所有默认的 HTTP 头部。
$this->headers = new Headers();
$this->headers->setHeaders();
- 这将修改
Content-Security-Policy头部,这是一个强大的允许列表,列出了可以在您的页面上发生的事情,从而减轻了许多攻击。使用时请小心,因为这可能会破坏使用第三方库(如 FontAwesome)的页面。参数是一个数组。
$this->headers = new Headers();
$this->headers->setContentSecurityPolicy([array]);
$this->headers->setHeaders();
- 这将修改
Cross-Origin-Opener-Policy头部,它有助于隔离页面进程。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setCrossOriginOpenerPolicy('string');
$this->headers->setHeaders();
- 这将修改
Cross-Origin-Resource-Policy头部,它阻止其他来源加载您的资源。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setCrossOriginResourcePolicy('string');
$this->headers->setHeaders();
- 这将修改
Cross-Origin-Embedder-Policy头部,它配置将跨源资源嵌入到文档中。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setCrossOriginResourcePolicy('string');
$this->headers->setHeaders();
- 这将修改
Origin-Agent-Cluster头部,它将进程隔离更改为基于源。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setOriginAgentCluster('string');
$this->headers->setHeaders();
- 这将修改
Referrer-Policy头部,它控制 Referer 头部。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setReferrerPolicy('string');
$this->headers->setHeaders();
- 这将修改
Strict-Transport-Security头部,它告诉浏览器优先使用 HTTPS。参数是一个字符串。 - 请确保您是否有 CONST ENVIRONMENT,如果没有,这将创建它自己的 ENVIRONMENT。
- 如果 ENVIRONMENT = 'production'(最可能是非 localhost),则将添加此头部。否则,不添加。
$this->headers = new Headers();
$this->headers->setStrictTransportSecurity('string');
$this->headers->setHeaders();
- 这将修改
X-Content-Type-Options头部,它有助于避免 MIME sniffing。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setXContentTypeOptions('string');
$this->headers->setHeaders();
- 这将修改
X-DNS-Prefetch-Control头部,它控制 DNS 预取。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setXDNSPrefetchControl('string');
$this->headers->setHeaders();
- 这将修改
X-Download-Options头部,它强制下载保存(仅限 Internet Explorer)。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setXDownloadOptions('string');
$this->headers->setHeaders();
- 这将修改
X-Frame-Options头部,这是一个遗留的头部,用于减轻 clickjacking 攻击。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setXFrameOptions('string');
$this->headers->setHeaders();
- 这将修改
X-Permitted-Cross-Domain-Policies头部,它控制 Adobe 产品(如 Acrobat)的跨域行为。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setXPermittedCrossDomainPolicies('string');
$this->headers->setHeaders();
- 这将修改
X-XSS-Protection头部,这是一个遗留的头部,试图减轻 XSS 攻击,但会使事情变得更糟,所以我们禁用它。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setXXSSProtection('string');
$this->headers->setHeaders();
- 这将修改
Permissions-Policy头部,它为网络开发者提供了机制,以明确声明可以在网站上使用和不能使用哪些功能。参数是一个字符串。
$this->headers = new Headers();
$this->headers->setPermissionPolicy('string');
$this->headers->setHeaders();