Last active
June 20, 2023 03:26
-
-
Save sooluh/1b61c6707a4d31667d25856df27c55a0 to your computer and use it in GitHub Desktop.
Securing HTTP headers in the PHP language.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* Securing HTTP headers in the PHP language. | |
* Written by Suluh Sulistiawan <suluh.webdevelopers@hotmail.com> | |
* Use as you like, hopefully useful. | |
*/ | |
/** | |
* X-Frame-Options allows content publishers | |
* to prevent their own content from being used | |
* in an invisible frame by attackers | |
*/ | |
header("X-Frame-Options: SAMEORIGIN"); | |
/** | |
* The HTTP X-XSS-Protection response header is | |
* a feature of Internet Explorer, Chrome and | |
* Safari that stops pages from loading when they | |
* detect reflected cross-site scripting (XSS) attacks | |
*/ | |
header("X-XSS-Protection: 1; mode=block"); | |
/** | |
* The X-Content-Type-Options response HTTP header | |
* is a marker used by the server to indicate | |
* that the MIME types advertised in the Content-Type | |
* headers should be followed and not be changed | |
*/ | |
header("X-Content-Type-Options: nosniff"); | |
/** | |
* Permissions Policy (formerly known as feature policy) | |
* allows web developers to selectively enable, disable, | |
* and modify the behavior of certain APIs and web | |
* features in the browser | |
*/ | |
header("Permissions-Policy: geolocation=(self),sync-xhr=(self),fullscreen=(self)"); | |
/** | |
* HTTP Strict Transport Security (HSTS) is a policy | |
* mechanism that helps to protect websites against | |
* man-in-the-middle attacks such as protocol | |
* downgrade attacks and cookie hijacking | |
*/ | |
header("Strict-Transport-Security: max-age=63072000; includeSubDomains; preload"); | |
/** | |
* Content Security Policy (CSP) is an added layer of | |
* security that helps to detect and mitigate certain | |
* types of attacks, including Cross-Site Scripting (XSS) | |
* and data injection attacks | |
* | |
* Add CSP headers as you like, please match those in | |
* the following list https://rapidsec.com/csp-packages/ | |
*/ | |
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.googletagmanager.com https://googletagmanager.com https://tagmanager.google.com https://www.google-analytics.com https://ssl.google-analytics.com https://google-analytics.com https://connect.facebook.net https://graph.facebook.com https://js.facebook.com https://*.doubleclick.net https://*.googleadservices.com https://*.google.com https://*.googlesyndication.com https://*.googletagservices.com https://cdnjs.cloudflare.com https://use.fontawesome.com https://kit.fontawesome.com https://ajax.googleapis.com https://www.recaptcha.net https://recaptcha.net https://www.gstatic.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.google.com/recaptcha/ https://maps.googleapis.com https://maps.google.com https://www.youtube.com https://m.youtube.com https://code.jquery.com https://cdn.jsdelivr.net https://unpkg.com https://maxcdn.bootstrapcdn.com https://stackpath.bootstrapcdn.com https://netdna.bootstrapcdn.com https://platform.twitter.com https://analytics.twitter.com https://en.twitter.com https://cdn.syndication.twimg.com https://translate.googleapis.com https://translate.google.com; style-src 'self' 'unsafe-inline' www.googletagmanager.com tagmanager.google.com fonts.googleapis.com *.google.com cdnjs.cloudflare.com *.fontawesome.com ajax.googleapis.com code.jquery.com cdn.jsdelivr.net unpkg.com *.bootstrapcdn.com ton.twimg.com platform.twitter.com translate.googleapis.com; frame-src www.googletagmanager.com *.facebook.com connect.facebook.net *.google.com *.doubleclick.net *.googlesyndication.com *.recaptcha.net recaptcha.net https://www.google.com/recaptcha/ https://recaptcha.google.com maps.google.com maps.googleapis.com *.youtube.com www.youtube-nocookie.com *.twitter.com; child-src blob: www.googletagmanager.com *.facebook.com connect.facebook.net *.google.com *.doubleclick.net *.googlesyndication.com www.youtube.com; img-src 'self' data: blob: www.googletagmanager.com www.google-analytics.com ssl.google-analytics.com www.google.com analytics.google.com fonts.gstatic.com *.facebook.com *.facebook.net *.fbcdn.net *.google.com *.doubleclick.net *.googlesyndication.com www.googleadservices.com cdnjs.cloudflare.com ajax.googleapis.com www.gstatic.com/recaptcha *.googleapis.com maps.google.com maps.gstatic.com www.gstatic.com *.ggpht.com *.ytimg.com *.youtube.com code.jquery.com cdn.jsdelivr.net unpkg.com t.co *.twitter.com *.twimg.com translate.google.com translate.googleapis.com www.gstatic.com; connect-src 'self' about: www.googletagmanager.com www.google-analytics.com stats.g.doubleclick.net ampcid.google.com analytics.google.com fonts.googleapis.com fonts.gstatic.com *.facebook.com connect.facebook.net *.doubleclick.net *.google.com *.googlesyndication.com www.googleadservices.com cdnjs.cloudflare.com *.fontawesome.com ajax.googleapis.com maps.googleapis.com maps.google.com code.jquery.com cdn.jsdelivr.net t.co *.twitter.com *.twimg.com translate.googleapis.com translate.google.com www.gstatic.com; font-src 'self' data: fonts.gstatic.com fonts.googleapis.com cdnjs.cloudflare.com *.fontawesome.com cdn.jsdelivr.net unpkg.com *.bootstrapcdn.com; object-src *.googlesyndication.com; media-src 'self' dai.google.com *.twimg.com; form-action 'self' *.facebook.com connect.facebook.net *.google.com *.twitter.com; prefetch-src *.googlesyndication.com; worker-src blob: www.google.com www.recaptcha.net"); | |
/** | |
* The Referrer-Policy HTTP header controls how much | |
* referrer information (sent with the Referer header) | |
* should be included with requests | |
*/ | |
header("Referrer-Policy: strict-origin"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment