定制 nelmio/security-bundle 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

nelmio/security-bundle

Composer 安装命令:

composer require nelmio/security-bundle

包简介

Extra security-related features for Symfony: signed/encrypted cookies, HTTPS/SSL/HSTS handling, cookie session storage, ...

关键字:

README 文档

README

About

The NelmioSecurityBundle provides additional security features for your Symfony application.

Installation

Require the nelmio/security-bundle package in your composer.json and update your dependencies:

composer require nelmio/security-bundle

The bundle should be automatically enabled by Symfony Flex. If you don't use Flex, you'll need to enable it manually as explained in the docs.

Features

Read the docs for the details and configuration needed for each feature:

  • Content Security Policy: Cross site scripting attacks (XSS) can be mitigated in modern browsers using a policy which instructs the browser never to execute inline scripts, or never to load content from another domain than the page's domain.

  • Signed Cookies: Specify certain cookies to be signed, so that the user cannot modify them. Note that they will not be encrypted, but signed only. The contents will still be visible to the user.

  • Clickjacking Protection: X-Frame-Options header is added to all responses to prevent your site from being put in a frame/iframe. This can have serious security implications as it has been demonstrated time and time again with Facebook and others. You can allow framing of your site from itself or from anywhere on a per-URL basis.

  • External Redirects Detection: Redirecting from your site to arbitrary URLs based on user input can be exploited to confuse users into clicking links that seemingly point to valid sites while they in fact lead to malicious content. It also may be possible to gain PageRank that way.

  • Forced HTTPS/SSL Handling: This forces all requests to go through SSL. It will also send HSTS headers so that modern browsers supporting it can make users use HTTPS even if they enter URLs without https, avoiding attacks on public Wi-Fi.

  • Flexible HTTPS/SSL Handling: If you don't want to force all users to use HTTPS, you should at least use secure session cookies and force SSL for logged-in users. But then logged-in users appear logged-out when they access a non-HTTPS resource. This is not really a good solution. This will make the application detect logged-in users and redirect them to a secure URL, without making the session cookie insecure.

  • Disable Content Type Sniffing: Require that scripts are loaded using the correct mime type. This disables the feature that some browsers have which uses content sniffing to determine if the response is a valid script file or not.

  • (DEPRECATED) XSS Protection: Enables/Disables Microsoft XSS Protection on compatible browsers (IE 8 and newer).

  • Referrer Policy: Referrer-Policy header is added to all responses to control the Referer header that is added to requests made from your site, and for navigations away from your site by browsers.

Testing

The bundle provides PHPUnit assertions to test security headers in your application. See TESTING.md for details.

Usage

See the documentation for usage instructions.

License

Released under the MIT License, see LICENSE.

nelmio/security-bundle 适用场景与选型建议

nelmio/security-bundle 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 13.68M 次下载、GitHub Stars 达 674, 最近一次更新时间为 2011 年 12 月 08 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「security」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 nelmio/security-bundle 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 nelmio/security-bundle 我们能提供哪些服务?
定制开发 / 二次开发

基于 nelmio/security-bundle 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 13.68M
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 683
  • 点击次数: 46
  • 依赖项目数: 25
  • 推荐数: 0

GitHub 信息

  • Stars: 674
  • Watchers: 22
  • Forks: 92
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2011-12-08