aidantwoods/SecureHeaders
A PHP library aiming to make the use of browser security features more accessible.
aidantwoods·8y ago·August 28, 2017🐛 Fixed
- Fix bug where header with "falsey" value would not be properly set
- Ensure `strict-dynamic` is also opportunistically injected into the report only CSP; add missing options to control this behaviour
aidantwoods·8y ago·July 16, 2017📦 [2.0] - *2017-07-16*
- Here's what we've been up to since `v1`
✨ Added
- **You can now easily integrate SecureHeaders with arbitrary frameworks by
- implementing the HttpAdapter (`Aidantwoods\SecureHeaders\Http\HttpAdapter`)**.
- Better cookie upgrades:
- Specifically incorporating the[`SameSite`](https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1)
- cookie attribute. `SameSite=Lax` will be added in alongside the
- `HttpOnly` and `Secure` flags to sensitive looking cookies by default, and will
- be upgraded to `SameSite=Strict` if operating in
- [`strictMode`](https://github.com/aidantwoods/SecureHeaders/wiki/strictMode).
- + 22 more
📋 Changed
- SecureHeaders is now intended to be a composer library, meaning that the
- single `SecureHeaders.php` will no longer contain the whole library. However,
- you may now instead download and include/require the entire library via
- the `SecureHeaders.phar` release.
- The SecureHeaders class is now namespaced to
- `Aidantwoods\SecureHeaders\SecureHeaders;`
- Strict Mode now includes injecting the `SameSite` cookie attribute.
- Strict Mode now includes the `Expect-CT: max-age=31536000; enforce`
- + 4 more
🗑️ Removed
- `doneOnOutput` and `done` are now `applyOnOutput` and `apply`. These new
- methods allow custom HttpAdapters to be used (so you can integrate more
- easily with frameworks), but if you supply no arguements the "global"
- HttpAdaper will be used (i.e. interact directly with PHPs `header()` and
- similar functions).
- `addHeader` has been removed. You should add headers with `header()` or via
- your framework now.
- `correctHeaderName` has been removed. Please ensure your header names are
- + 3 more
📦 Signed Release
- If you are obtaining the `.phar` signature, my GPG fingerprint is `A0EAF427E34F44505F171FB09A6A8EFAA512BBB9`, you can obtain my key with:
- ```bash
- gpg --recv-keys A0EAF427E34F44505F171FB09A6A8EFAA512BBB9
- ```
aidantwoods·9y ago·January 8, 2017This version is **non backwards compatible** (sorry!) Hopefully a good change though: naming scheme has changed from under_scores to the community prefered camelCase for method names. There are no functionality changes – so you just need to change the naming scheme to adjust. SecureHeaders is now a [composer package on packagist](https://packagist.org/packages/aidantwoods/secureheaders). So installation should be nice and easy now! v1.0.1 contains a naming related bugfix
aidantwoods·9y ago·January 8, 2017This version is **non backwards compatible** (sorry!) Hopefully a good change though: naming scheme has changed from under_scores to the community prefered camelCase for method names. There are no functionality changes – so you just need to change the naming scheme to adjust. SecureHeaders is now a [composer package on packagist](https://packagist.org/packages/aidantwoods/secureheaders). So installation should be nice and easy now!
aidantwoods·9y ago·December 23, 2016Feedback welcome. [Bugs/Suggestions](https://github.com/aidantwoods/SecureHeaders/issues)
aidantwoods·9y ago·December 16, 2016Feedback welcome. [Bugs/Suggestions](https://github.com/aidantwoods/SecureHeaders/issues)
aidantwoods·9y ago·December 11, 2016Feedback welcome. [Bugs/Suggestions](https://github.com/aidantwoods/SecureHeaders/issues)