/https

PSR-15 middleware to redirect to https and adds the Strict-Transport-Security header

Primary LanguagePHPMIT LicenseMIT

middlewares/https

Latest Version on Packagist Software License Testing Total Downloads

Middleware to redirect to https if the request is http and add the Strict Transport Security header to protect against protocol downgrade attacks and cookie hijacking.

Requirements

Installation

This package is installable and autoloadable via Composer as middlewares/https.

composer require middlewares/https

Example

$dispatcher = new Dispatcher([
	(new Middlewares\Https())
		->includeSubdomains()
]);

$response = $dispatcher->dispatch(new ServerRequest());

Usage

This middleware accept a Psr\Http\Message\ResponseFactoryInterface as a constructor argument, to create the redirect responses. If it's not defined, Middleware\Utils\Factory will be used to detect it automatically.

$responseFactory = new MyOwnResponseFactory();

//Detect the response factory automatically
$https = new Middlewares\Https();

//Use a specific factory
$htts = new Middlewares\Https($responseFactory);

maxAge

This option allow to define the value of max-age directive for the Strict-Transport-Security header. By default is 31536000 (1 year).

$threeYears = 31536000 * 3;

$https = (new Middlewares\Https())->maxAge($threeYears);

includeSubdomains

By default, the includeSubDomains directive is not included in the Strict-Transport-Security header. Use this function to change this behavior.

$https = (new Middlewares\Https())->includeSubdomains();

preload

By default, the preload directive is not included in the Strict-Transport-Security header. Use this function to change this behavior.

$https = (new Middlewares\Https())->preload();

checkHttpsForward

Enabling this option ignore requests containing the header X-Forwarded-Proto: https or X-Forwarded-Port: 443. This is specially useful if the site is behind a https load balancer.

$https = (new Middlewares\Https())->checkHttpsForward();

redirect

This option returns a redirection response from http to https. It's enabled by default.

//Disable redirections
$https = (new Middlewares\Https())->redirect(false);

Please see CHANGELOG for more information about recent changes and CONTRIBUTING for contributing details.

The MIT License (MIT). Please see LICENSE for more information.