zaxbux/wn-securityheaders-plugin 问题修复 & 功能扩展

解决BUG、新增功能、兼容多环境部署,快速响应你的开发需求

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

zaxbux/wn-securityheaders-plugin

Composer 安装命令:

composer require zaxbux/wn-securityheaders-plugin

包简介

Easily configure HTTP response headers to increase site security.

README 文档

README

GitHub Packagist PHP Version Support GitHub tag (latest by date) Packagist Version

This Winter CMS plugin allows you to manage a variety of security HTTP headers for your application.

See your score at securityheaders.com

CSP Nonce

This plugin generates a cryptographic nonce (128 bits, base64 encoded) for each HTTP response. To use the CSP nonce, enable the 'nonce' source for a CSP directive and include the CSPNonce component on the layout or page you want to apply the nonce. A page variable named csp_conce will contain the base64 encoded nonce.

<script nonce="{{ csp_nonce }}">
	// ...
</script>

In Case Things Break

Enabling the Content Security Policy header or the Strict Transport Security (HSTS) header could break your site if they're not setup properly. In each case, there is a command to disable the headers.

To disable the CSP from the console:

artisan securityheaders:disable_csp

To disable HSTS from the console:

artisan securityheaders:disable_hsts

Headers by Controller

Different headers are applied to different routes, based on the controller used. The System and Backend controllers have limited security headers to avoid breaking functionality. For exmaple, the backend would require adding the unsafe-inline directive, effectivley making a CSP policy useless, so that header is not added.

System

The System\Classes\SystemController controller handles asset combining. These are the headers that may be sent:

  • Strict-Transport-Security
  • X-Frame-Options
  • X-Content-Type-Options
  • X-XSS-Protection

Backend

The Backend\Classes\BackendController controller handles the backend CMS. These are the headers that may be sent:

  • Strict-Transport-Security
  • X-Frame-Options
  • X-Content-Type-Options
  • X-XSS-Protection

CMS

The Cms\Classes\CmsController controller handles the frontend. These are the headers that may be sent:

  • Strict-Transport-Security
  • Referrer-Policy
  • Content-Security-Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • X-XSS-Protection
  • Feature-Policy

Obselete Headers

These headers are available for configuration in case legacy browsers need to be supported, but they are not recomended if you only support current browser verions.

X-Frame-Options

The X-Frame-Options header has been obsoleted by the frame-ancestors directive from CSP Level 2 for supporting browsers.

X-XSS-Protection

This header is non-standard and support has been removed (or will never be present) in a majority of browsers. You can achieve better protection using a Content Security Policy. Currently supported in IE 11 and Safari (caniuse.com).

统计信息

  • 总下载量: 11
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 4
  • 点击次数: 4
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 4
  • Watchers: 1
  • Forks: 4
  • 开发语言: PHP

其他信息

  • 授权协议: MIT
  • 更新时间: 2022-07-01

承接程序开发

PHP开发

VUE

Vue开发

前端开发

小程序开发

公众号开发

系统定制

数据库设计

云部署

网站建设

安全加固