While I love the idea of SecureHeaders being adoptable everywhere, you're not using PSR-1/PSR-4, you've not got this package on composer, and the vast majority of PHP code that is going to be updated will not be able to simply just include it.

In addition, it'd need to be modified so that all the major frameworks currently in use (wordpress/laravel/symfony2/drupal) can actually include it at the correct stages of their lifecycles without needing to modify core code. That one's far more tricky.

A few things you could do to cut down on work:

• Use StyleCI (free for open source) for automatic formatting
  • This is great for moving to PSR-2 (or at least PSR-1, but modern PHP is leaning towards namespaces + PascalCase classes + camelCase methods, etc)
• Autoload files via PSR-4 using Composer
• Add your package to Packagist so people can instantly use it.

People haven't really done the download package / require files / use library approach in several years for newer projects at this point, and it'd be a shame for this package to just die from lack of use.

It would be really cool if you could add support for 'strict-dynamic' (W3C) by default.

Google is offering Google Patch Rewards for integrating CSP in popular frameworks and facilitating adoption (as you already did, so please apply!).

The most recent research on CSP demonstrated that the whitelist-based approach is intrinsically flawed for XSS mitigation, and that a nonce/hash + 'strict-dynamic' policy, similar to the ones already served by important Google products, is in the quasi-totality of cases the only working solution.

There are a lot of misconceptions about CSP, and getting rid of things that are proven not to work is good - the worst thing you can have is a false sense of security.

If you could also add a link to the CSP Evaluator to your README, to let users evaluate the quality of their policy, it would be awesome.

Please do not hesitate to get back to me if you need any additional information or have doubts.

More resources

• https://csp.withgoogle.com
• https://csp.withgoogle.com/docs/strict-csp.html
• https://csp-evaluator.withgoogle.com
• https://www.google.com/about/appsecurity/patch-rewards/

Add tests for each component of the library.

This is the final item on the agenda for 2.0 release, hence:

Closes #27
Closes #3

Is usual to use an iframe to show content from facebook stream, or twitter, for set an examples.

I think a directive of ->csp(), some like
$headers->csp('frame', 'sameorigin');
$headers->csp('frame', ['sameorigin', 'http://www.facebook.com']);

Thanks for consider.

This method does not result in an operation being added to the pipeline.

What's needed:

• a unit test for the expected behavior
• a fix

As discussed in #60 (comment), I would like the library is avoid of triggering php errors, but instead throw SPL Exceptions, which were created for this case.

At the moment, I'm tired, and I can't describe more things why I want to catch exceptions instead of errors.

HPKP is dead.

Okay, well not quite yet 😉, but the end looks to be nigh unless something changes to fix it.

HPKP was a standard developed in hope of solving the problem of certificate mis-issuance by allowing a domain owner to "pin" a select set of certificates.
HPKP unfortunately makes it very easy to shoot yourself in the foot by rotating pins too fast, losing access to your backup, locking yourself to a CA (if you pin the CA) and mess up rotation windows, misconfiguration etc... mostly caused by having no mechanism to recover from misconfiguration (other than waiting for the enforcement window to expire).
Unfortunately this also opens up the door to malicious pinning: HPKP based ransom (where an attacker may utilise HPKP along with temporarily gained access to your webserver to set up HPKP with pins to a certificate you do not control – and holding you to ransom, or face users unable to visit your site).

For a comprehensive overview see this post from last year by Ivan Ristic.

HPKP has been part of SecureHeaders since the beginning, but was (deliberately) never really explicitly encouraged (by virtue of not triggering the usual warnings that omitting other security headers will cause).
It was also one of the driving factors for introducing safe mode – in which (if safe mode is enabled) it carries the heaviest neutering value of being capped at 10 seconds of enforcement with policy propagation to subdomains disabled.

Fortunately the problem of certificate mis-issuance is now being tackled by certificate transparency and the Expect-CT.

I'll just grab a quote from the first link about it:

To defend against certificate misissuance, web developers should use the Expect-CT header, including its reporting function. Expect-CT is safer than HPKP due to the flexibility it gives site operators to recover from any configuration errors, and due to the built-in support offered by a number of CAs. Site operators can generally deploy Expect-CT on a domain without needing to take any additional steps when obtaining certificates for the domain. Even if the CT log ecosystem substantially changes during the validity period of the certificate, site operators can provide updated SCTs in the form of OCSP responses (if their CA supports it) or via a TLS extension (if they wish for greater control). The combination of these mitigations substantially reduces the risk of DoS (either accidental or hostile) via Expect-CT deployment. By combining Expect-CT with active monitoring for relevant domains, which a growing number of CAs and third-parties now provide, site operators can proactively detect misissuance in a way that HPKP does not achieve, while also reducing the risk of misconfiguration and avoiding the risk of hostile pinning.

You can set up and send the Expect-CT header using the ->expectCT method, and incase you want some more reading on it – take a look at this post by Scott Helme, or the latest draft spec.

So that leaves the issue of HPKP in SecureHeaders. The proposal linked first plans to remove support in Chrome by 29th May 2018. I would suggest that if there are no objections to deprecate the following parts of the public API:

SecureHeaders::hpkp
SecureHeaders::hpkpro
SecureHeaders::hpkpSubdomains
SecureHeaders::hpkproSubdomains

and then subsequently removing support in a major release that occurs sometime around (but preferably before) the Chrome removal date.

All this hinges on Chrome's intent to deprecate and remove being actioned, and we should also wait to see if Firefox follows suit. This means no date for even the deprecation on the public API, but I'll update this issue when more information is available.

This issue serves as a conditional intent to deprecate and remove, subject to outcome of browser decisions.

When enabling strict mode, 'strict-dynamic' is opportunistically injected into CSP but not 'strict-dynamic'. There's no documentation that indicates this is only for enforced policies (and seems to go against the idea of ->cspro behaving like ->csp – in a different mode). Therefore I see no reason for BC break (from intended behaviour), and it's not really a new feature either – hence can probably be a bugfix release.

Should probably add a config for disabling/enabling this opportunistic injection in strict mode too in each header (one might want to deploy slightly different policies in each header to trial run a CSP in report mode before using enforce).

Conscious of a potential "configuration overload" approaching here, we're building up quite a few configuration options. Will open a separate issue to discuss possibly cleaning some of this up, see #57.

In future versions we should rework how cookie upgrades are handled.

Sites which care about security related headers being reliably delivered should already be using HTTPS on all their pages – which means that HTTP cookies shouldn't be a thing. Adding Secure to all cookies seems like a pretty damn easy win. (this would replace our current approach which is only slightly better than a whitelist). For cookies that must be sent over HTTP, we can permit cookies to be manually deselected from this upgrade.

I think this approach may be valuable for all settings though: it adopts a "permissions" view of the world where everything is disallowed by default, and the developer must actively opt-in to less protection. i.e. instead of having to remember to think about "we must disallow JavaScript from accessing a cookie", developers should instead think "we should grant JavaScript access to this cookie".

My current thinking is the following:

• All cookies receive the Secure flag by default.

• All cookies receive the httpOnly flag by default.

• All cookies receive the SameSite=Lax flag by default.

• Allow manual exceptions to be written for all of the above based on cookie name, i.e.

  • Explicit opt-in for cookies to be allowed to be sent over HTTP

  • Explicit opt-in for JavaScript to be allowed access to a cookie

  • Explicit opt-in for cookies to be allowed to be sent when not using top-level cross-origin navigations

• Allow specific cookies to be marked as "write cookies", which will upgrade the SameSite setting to SameSite=Strict. These are cookies which (if your site can be built to allow for it) should be reserved for granting write permissions to a particular user. SameSite=Lax cookies are perfectly okay for where the user need only read information.

  There is a section in the SameSite cookie spec detailing a scenario where lax would be used for read permissions, and strict would be used for write permissions. Scott Helme has also done a nice explainer on using different cookies for read/write permissions in CSRF is dead.

  If you're developing a new app – this is something you should definitely look into in addition to current CRSF mechanisms (when all browsers have added support for SameSite it might be possible to ditch CSRF form tokens, but that is way in the future!).

Using the default config:

$headers = new SecureHeaders();
$headers->apply()

I get the following console error in Chrome:

Failed to set referrer policy: The value 'strict-origin-when-cross-origin' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', or 'unsafe-url'. The referrer policy has been left unchanged.

Not sure if it's just Chrome but this doesn't happen in Firefox.

I've had this problem with CORS stuff before in Chrome and there's usually an extension that someone has used to intercept the URLs, not sure if you know of one?

base-uri must be defined to have blocking behaviour.
If default-src is not defined many directives will have no fallback (and so will operate as if * was specified if they too are undefined by the CSP).
Some key directives that should not be emitted include:

• default-src (obviously)
• object-src
• script-src
• style-src

SecureHeaders should emit a warning if any directive that falls back to default-src is absent from CSP and default-src is also absent.

We should also enumerate things that do not fallback to default-src (like base-uri) and warn about these separately (regardless of whether default-src is present).

As hinted in #67 (comment), the public API could do with some better coverage.

I know that the package is meant to not use them directly, but sometimes it could be useful to be able to insert nonces and hashes directly instead of relying on the given API methods.
It's actually already doable via csp() method, but with a somehow hacky notation:

'\'sha256-K28TraF0hDSDYoxDYfyCCb5cCVAhDUyT0P1E3a+hKyQ=\''
"'sha256-K28TraF0hDSDYoxDYfyCCb5cCVAhDUyT0P1E3a+hKyQ='"
'\'nonce-xxxxxxxx\''
"'nonce-xxxxxxxx'"

I've not tested those on your library directly but I use them in laravel-securityheaders and they work.

My request, if possible, is to add two more "friendly directive":

• one for nonces, which checks if the string start with a "nonce-" and automatically adds the single quotation marks, while preserving the actual nonce value
• and one for hashes, which checks if the string starts with a "sha[acceptableVersionOfSHA]-" and automatically adds the single quotation marks, while preserving the actual encoded hash value.

Some stuff is really easy and hard to guess a way of using it wrong (see: https://github.com/aidantwoods/SecureHeaders/wiki/csp).

Other configuration might be a little harder to remember off hand (see: https://github.com/aidantwoods/SecureHeaders/wiki/auto).

This issue to to discuss whether we can do the "toggle like" configuration a bit better. Policies should stay as-is IMO (like CSP), but for configuring behaviour like in auto – we might be able to do better.

Should we create some kind of standardised config object or methodology that we could use to at least sub-category some of the stuff going on in auto (and probably being added to strict mode RE 'strict-dynamic' injection, see #56).

Or should we create a new function to configure (like https://github.com/aidantwoods/SecureHeaders/wiki/sameSiteCookies for SameSite's variable default override).

SecureHeaders was originally written in PHP 7.

However, I wanted as many people as possible to be able to use these browser security features easily, and didn't want it to be unusable by someone just because they were stuck with a lazy hosting provider.

So I backported the codebase all the way back to PHP 5.3 (and I took scalar type exceptions back with me! 😉)
PHP 5.6 initial backport: 4565833
PHP 5.4: 2192058
PHP 5.3: cdab04a

A year(-ish) later and two major versions out, the minimum version has increased to PHP 5.4. I think that's where I'm comfortable drawing the line though. It certainly doesn't make sense to continue supporting versions of PHP that the PHP team themselves don't.
As far as official support goes, PHP 5.6 is the only version on 5.x not to be end of life, and it will no longer receive updates unless they are security related. It'll be that way for a while longer, so it might make sense to still support that. We'd even gain the ... operator for type-hinting collections of objects.
However, we're still missing proper language enforced type safety for scalars, return type hints, and strict mode to disable "type coercion". For these features, I feel it will be worth dropping 5.6 too.

If you really have to use PHP 5.x, 2.x isn't going anywhere. 2.x will likely enjoy quite a few more updates too. This just forewarning that when 3.0 finally rolls around, it'll be modern PHP only.

Edit: Starting a checklist of sub-tasks/issues in this meta-issue, that'll need to be completed when the transition is underway (don't worry, still not yet).

• Type Safety
  • Scalar type hints
  • Return type hints
  • strict_types=1
  • Type hint collections when possible with ... operator
• Move away from OpenSSL for randomness (could perhaps do this sooner in 2.x too)

There's a lot of work going on under-the-hood, so to speak, to help make SecureHeaders a lot more usable within frameworks. (This thanks to folks like @lucasmichot and @franzliedke).

Since there's going to be a major version bump at some point, I wanted to open up this thread to discuss some feature changes that I'm planning on wrapping into the 2.0 version. This mainly so that there is the opportunity for concerns to be raised that I may have neglected to consider.

1. Better cookie upgrades:
   Specifically incorporating the SameSite cookie attribute. The plan is for SameSite=Lax to be added in alongside the HttpOnly and Secure flags to sensitive looking cookies by default, and for this to be upgraded to SameSite=Strict if operating in strictMode.

   SameSite=Lax already offers pretty good CSRF protection by preventing non GET requests or non top-level requests from sending cookies when coming from a cross-origin source. In other words cookies will not be sent when the request originates from a cross-origin unless request can be seen in the URL bar and any request data is also in the URL bar.

   Obviously this isn't a complete solution, so for those that want it stricter, I'll include the upgrade to SameSite=Strict (or just SameSite according to spec). This should be able to be configured granularly similarly to how HttpOnly and Secure are currently configured or just by enabling strictMode to use SameSite=Strict (as said above).

2. Add a new header by default:
   The new header being X-Permitted-Cross-Domain-Policies: none. As with other automatic headers, this will be done via a header proposal – so this can be explicitly removed or modified as you prefer if the default is not desired.

3. I need some feedback on what SecureHeaders should do if you pass it an argument of the wrong type.
   Since generating an exception produces output and forces headers to be sent immediately (preventing already configured ones from being added to PHPs list), there may be a case to do something slightly differently. At present (in 0.0 through to 1.0.1) I've utilised a custom exception class that will trigger the SecureHeaders done method on your behalf when an exception is uncaught. There has been some discussion on this perhaps not being the best behaviour because it is unexpected. It would be good to get some feedback on what to do when raising exceptions. Whether that be: "no, don't auto send the headers"; "yes, auto send the headers"; or "it should be user configurable, and the default should be [x]".

4. Add a new header by default: Referrer-Policy: strict-origin-when-cross-origin with a fallback policy of no-referrer.
   I've made no-referrer the fallback because is the only policy value (currently) supported by both Chrome and FF which guarantees that the full query string will remain private on cross-origin requests, and that no URL is leaked over the network on insecure requests (to the same origin).
   At time of writing latest stable on both Chrome and FF do not understand strict-origin-when-cross-origin and will use the fallback. Firefox is due to add support in v52. Chrome has a bug report open.
   Safari and other browsers appear to offer no support. This is unfortunate. Hopefully there will be progress.

5. Add a new header by default: Expect-CT: max-age=0.
   Spec here.
   This defaults to reporting mode, but will be configurable to operate in enforce mode, or just reporting with some report-uri specified.

Thanks for reading! I'll update this issue if I add anything else to the planned changes list 😄

E.g.

https://www.w3.org/TR/CSP2/#directive-script-src

If 'unsafe-inline' is not in the list of allowed script sources, or if at least one nonce-source or hash-source is present in the list of allowed script sources:[...]

As mentioned in #71.

Personally, I'd like to chain my settings, so instead of this:

// init SecureHeaders
$headers = new SecureHeaders;

$headers->auto();
$headers->hsts();
$headers->csp([
    'default-src' => [
        'none'
    ],
    'script-src' => [
        'self'
    ],
    'style-src' => [
        'self',
        'https://fonts.googleapis.com'
    ],
    'img-src' => [
        'https://www.gravatar.com'
    ]
]);
$headers->apply();

I could do

// init SecureHeaders
$headers = new SecureHeaders;

$headers
    ->auto()
    ->hsts()
    ->csp([
        'default-src' => [
            'none'
        ],
        'script-src' => [
            'self'
        ],
        'style-src' => [
            'self',
            'https://fonts.googleapis.com'
        ],
        'img-src' => [
            'https://www.gravatar.com'
        ]
    ])
    ->apply();

I with you that having Warnings and Notices is a wonderful thing while developing, but it seems that it's not possible to manually disable them in any way.

Use cases:

• we want to support Edge pre-15, so we must put the "unsafe-inline". Our CSP is build in order to leverage CSP3 and 2 where possible and fallback to CSP1 only where really needed, but actually we find ourselves filled with warnings about a decision we know we did for a reason;
• we are enhancing security step-by-step and for this reason we preferred to disable HSTS for now. We know we did, we are going to enable it later, still we apparently have no way to disable those errors.

If there were some way to selectively disable some warnings (of course they must be enabled by default), it would be great

So everything is #19 is now complete. The documentation can now mostly be very nicely auto-generated from phpdoc. And we now have nice adapters to SecureHeaders can be used in arbitrary frameworks with very minor implementation code.

I'll make some additions to the test suit this weekend just to make sure everything is running nicely and as expected, but other than that I can't think of anything major that needs doing.

@franzliedke @lucasmichot feel free to jump in here if I've forgotten something that needs doing 😜

Not all of use global function/variable's

If you like I can make a pr

At least for the method documentation, this can be added directly to the code, which can then be used for automatically generating up-to-date documentation, e.g. with https://www.phpdoc.org/.

Example for removeHeader():

/**
 * Queue a header for removal
 *
 * Upon calling {@see apply}, the header will be removed. This function can
 * be used to prevent automatic headers from being sent.
 *
 * @param string $name Case insensitive name of the header to remove
 * @return void
 */
public function removeHeader($name)
{
    // ...
}

Atm the lib uses a hardcoded list of possible cookie names/substring.

Wouldnt it make sense to detect whether sessions are handled via cookies and if so add the session cookies name to the protectedCookies list?