nelmio/security-bundle
Composer 安装命令:
composer require nelmio/security-bundle
包简介
Extra security-related features for Symfony: signed/encrypted cookies, HTTPS/SSL/HSTS handling, cookie session storage, ...
关键字:
README 文档
README
About
The NelmioSecurityBundle provides additional security features for your Symfony application.
Installation
Require the nelmio/security-bundle package in your composer.json and update your dependencies:
composer require nelmio/security-bundle
The bundle should be automatically enabled by Symfony Flex. If you don't use Flex, you'll need to enable it manually as explained in the docs.
Features
Read the docs for the details and configuration needed for each feature:
-
Content Security Policy: Cross site scripting attacks (XSS) can be mitigated in modern browsers using a policy which instructs the browser never to execute inline scripts, or never to load content from another domain than the page's domain.
-
Signed Cookies: Specify certain cookies to be signed, so that the user cannot modify them. Note that they will not be encrypted, but signed only. The contents will still be visible to the user.
-
Clickjacking Protection: X-Frame-Options header is added to all responses to prevent your site from being put in a frame/iframe. This can have serious security implications as it has been demonstrated time and time again with Facebook and others. You can allow framing of your site from itself or from anywhere on a per-URL basis.
-
External Redirects Detection: Redirecting from your site to arbitrary URLs based on user input can be exploited to confuse users into clicking links that seemingly point to valid sites while they in fact lead to malicious content. It also may be possible to gain PageRank that way.
-
Forced HTTPS/SSL Handling: This forces all requests to go through SSL. It will also send HSTS headers so that modern browsers supporting it can make users use HTTPS even if they enter URLs without https, avoiding attacks on public Wi-Fi.
-
Flexible HTTPS/SSL Handling: If you don't want to force all users to use HTTPS, you should at least use secure session cookies and force SSL for logged-in users. But then logged-in users appear logged-out when they access a non-HTTPS resource. This is not really a good solution. This will make the application detect logged-in users and redirect them to a secure URL, without making the session cookie insecure.
-
Disable Content Type Sniffing: Require that scripts are loaded using the correct mime type. This disables the feature that some browsers have which uses content sniffing to determine if the response is a valid script file or not.
-
(DEPRECATED) XSS Protection: Enables/Disables Microsoft XSS Protection on compatible browsers (IE 8 and newer).
-
Referrer Policy:
Referrer-Policyheader is added to all responses to control theRefererheader that is added to requests made from your site, and for navigations away from your site by browsers.
Testing
The bundle provides PHPUnit assertions to test security headers in your application. See TESTING.md for details.
Usage
See the documentation for usage instructions.
License
Released under the MIT License, see LICENSE.
nelmio/security-bundle 适用场景与选型建议
nelmio/security-bundle 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 13.68M 次下载、GitHub Stars 达 674, 最近一次更新时间为 2011 年 12 月 08 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「security」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 nelmio/security-bundle 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 nelmio/security-bundle 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 nelmio/security-bundle 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Provide a way to secure accesses to all routes of an symfony application.
It's a barebone security class written on PHP
Contao CMS integrity check for some files
A PHP security linter to detect insecure functions like var_dump, print_r, and other dangerous functions in your codebase
Cbox SSRF — a hardened, config-driven guard against server-side request forgery for outbound URLs in Laravel. Blocks private/reserved/cloud-metadata targets, pins DNS, and refuses redirects.
Cbox Risk — an explainable, config-driven request risk-scoring pipeline for Laravel. Weights signals (IP reputation, geo, disposable email, velocity, bot timing) into a score and an outcome: allow, challenge, step-up, or reject.
统计信息
- 总下载量: 13.68M
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 683
- 点击次数: 46
- 依赖项目数: 25
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2011-12-08