strictMode

Description

void strictMode ([ mixed $mode = true ] )

Turn strict mode on or off. When enabled, strict mode will:

Auto-enable HSTS with a 1 year duration, and the includeSubDomains and preload flags set. Note that this HSTS policy is made as a header proposal, and can thus be removed or modified.

Don't forget to manually submit your domain to the HSTS preload list if you are using this option.
The source keyword 'strict-dynamic' will also be added to the first of the following directives that exist: script-src, default-src; only if that directive also contains a nonce or hash source value, and not otherwise.

This will disable the source whitelist in script-src in CSP3 compliant browsers. The use of whitelists in script-src is considered not to be an ideal practice, because they are often trivial to bypass.
The default SameSite value injected into ->protectedCookie will be changed from SameSite=Lax to SameSite=Strict. See ->auto to enable/disable injection of SameSite and ->sameSiteCookies for more on specific behaviour and to explicitly define this value manually, to override the default.
Auto-enable Expect-CT with a 1 year duration, and the enforce flag set. Note that this Expect-CT policy is made as a header proposal, and can thus be removed or modified.

Parameters

mode

Loosely casted to a boolean, true enables strict mode, false turns it off.

strictMode

Description

Parameters

mode

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Information

Functions

General

Settings

Policies

CSP Hashes and Nonces

Policy Adjustments

Headers and Cookies

Clone this wiki locally