Skip to content

Commit

Permalink
update example extension; correct misspelled constant
Browse files Browse the repository at this point in the history
  • Loading branch information
@aidantwoods
aidantwoods committed Jan 8, 2017
1 parent d0cdc8b commit 180913f
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 24 deletions.
37 changes: 16 additions & 21 deletions CustomSecureHeaders.php
View file
Original file line number Diff line number Diff line change
@@ -1,47 +1,42 @@
<?php
class CustomSecureHeaders extends SecureHeaders{
public $style_nonce;
public $script_nonce;

public function __construct()
{
# implicitly call $this->done() on first byte of output
$this->done_on_output();

// $this->stop_done_on_output();
$this->doneOnOutput();

# content headers
$this->header('Content-type', 'text/html; charset=utf-8');

# Custom function added in this extenstion:
# redirect to www subdomain if not on localhost
$this->www_if_not_localhost();

# add a csp policy, as specified in $base, defined below
$this->csp($this->base);

# generate nonces for script-src and style-src directives, and
# store the nonces in public variables for use in script
$this->style_nonce = $this->csp_nonce('style');
$this->script_nonce = $this->csp_nonce('script');
$this->cspNonce('style');
$this->cspNonce('script');

# whitelist a css snippet in the style-src directive
$style = 'body {background: black;}';
$this->csp_hash('style', $style);
$this->cspHash('style', $style);

# add csp reporting
$this->csp('report', 'https://report-uri.example.com/csp');

$this->csp('script', 'http://my.cdn.org');
$this->csp(
'report', 'https://report-uri.example.com/csp',
'script', 'http://my.cdn.org'
);

# add some cookies
setcookie('auth1', 'not a secret');
setcookie('sId', 'secret');
$this->remove_protected_cookie_substring('auth');
$this->protectedCookie('auth', self::COOKIE_SUBSTR | self::CCOOKIE_REMOVE);

setcookie('sess1', 'secret');
setcookie('notasessioncookie', 'not a secret');
$this->remove_protected_cookie_substring('sess');
$this->add_protected_cookie_name('sess1');
$this->protectedCookie('sess', self::COOKIE_SUBSTR | self::CCOOKIE_REMOVE);
$this->protectedCookie('sess1', self::COOKIE_NAME);

setcookie('preference', 'not a secret');
setcookie('another-preference', 'not a secret', 10, '/', null, true, false);
Expand All @@ -63,19 +58,19 @@ public function __construct()

# enable safe-mode, which should auto-modify the above header
# safe-mode will generate an error of level E_USER_NOTICE if it has to modify any headers
$this->safe_mode();
$this->safeMode();

# uncomment the next line to allow HSTS in safe mode
// $this->safe_mode_exception('Strict-Transport-Security');
// $this->safeModeException('Strict-Transport-Security');

}

public function www_if_not_localhost()
{
if ($_SERVER['SERVER_NAME'] !== 'localhost' and substr($_SERVER['HTTP_HOST'], 0, 4) !== 'www.')
{
$this->add_header('HTTP/1.1 301 Moved Permanently');
$this->add_header('Location', 'https://www.'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
$this->header('HTTP/1.1 301 Moved Permanently');
$this->header('Location', 'https://www.'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
}
}

Expand Down
6 changes: 3 additions & 3 deletions SecureHeaders.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ public function protectedCookie(

$stringTypes = array();

if (($mode & self::COOKIENAME) === self::COOKIENAME)
if (($mode & self::COOKIE_NAME) === self::COOKIE_NAME)
$stringTypes[] = 'names';

if (($mode & self::COOKIE_SUBSTR) === self::COOKIE_SUBSTR)
Expand Down Expand Up @@ -2298,9 +2298,9 @@ private function reportMissingHeaders()

# cookie upgrades

const COOKIENAME = 1; # 0b0001
const COOKIE_NAME = 1; # 0b0001
const COOKIE_SUBSTR = 2; # 0b0010
const COOKIE_ALL = 3; # COOKIENAME | COOKIE_SUBSTR
const COOKIE_ALL = 3; # COOKIE_NAME | COOKIE_SUBSTR
const COOKIE_REMOVE = 4; # 0b0100
const COOKIE_DEFAULT = 2; # ~COOKIE_REMOVE & COOKIE_SUBSTR
}
Expand Down

0 comments on commit 180913f

Please sign in to comment.