Class humhub\modules\web\security\models\SecuritySettings

Inheritancehumhub\modules\web\security\models\SecuritySettings » yii\base\Model
Available since version1.4

The SecuritySettings are used to load and parse a security config file.

The config file path is defined in the security module class.

When initialized this class will load and cache the security rules from the config file and initialize a Content-Security-Policy builder if the csp section of the config is defined.

The security rules can contain the following sections:

  • headers: contains headers to be set
  • csp: contains a csp configuration
  • csp-report-only: contains report only rules

An instance of this class only manages the csp creation of a single csp section mentioned above. The active section can be set by setting the $cspSection. By default the csp section is used.

Note: This class is not responsible for actually setting the header values

Public Properties

Hide inherited properties

PropertyTypeDescriptionDefined By
$cspSection string Defines the csp settings key humhub\modules\web\security\models\SecuritySettings

Public Methods

Hide inherited methods

MethodDescriptionDefined By
getCSPHeader() Helper function for receiving the Content-Security-Policy header which is either generated from the csp section of the security config if given, or may be defined in the header section of the configuration directly. humhub\modules\web\security\models\SecuritySettings
getCSPHeaderKeys() Returns the header keys for the csp header, this are either report-only or normal csp header keys with respect of old browsers. humhub\modules\web\security\models\SecuritySettings
getHeader() Can be used to get the value of a security header configuration from the config file. The Content-Security-Policy will be generated from the csp configuration section if present, otherwise this function will search this header in the header section. humhub\modules\web\security\models\SecuritySettings
getHeaders() Returns all headers in the headers section of the security configuration humhub\modules\web\security\models\SecuritySettings
hasSection() Checks if the given section is present in the security configuration humhub\modules\web\security\models\SecuritySettings
init() humhub\modules\web\security\models\SecuritySettings
isCSPHeaderKey() Checks if the given header key is a csp related key humhub\modules\web\security\models\SecuritySettings
isCspReportEnabled() humhub\modules\web\security\models\SecuritySettings
isNonceSupportActive() Checks if the currently active security rule activates the script nonce support. humhub\modules\web\security\models\SecuritySettings
isReportOnlyCSP() Checks if the current csp section should be treated as report-only csp humhub\modules\web\security\models\SecuritySettings
isReportingEnabled() humhub\modules\web\security\models\SecuritySettings

Constants

Hide inherited constants

ConstantValueDescriptionDefined By
CSP_SECTION_REPORT_ONLY 'csp-report-only' humhub\modules\web\security\models\SecuritySettings
HEADER_CONTENT_SECRUITY_POLICY 'Content-Security-Policy' humhub\modules\web\security\models\SecuritySettings
HEADER_CONTENT_SECRUITY_POLICY_IE 'X-Content-Security-Policy' humhub\modules\web\security\models\SecuritySettings
HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY 'Content-Security-Policy-Report-Only' humhub\modules\web\security\models\SecuritySettings
HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY_IE 'X-Content-Security-Policy-Report-Only' humhub\modules\web\security\models\SecuritySettings
HEADER_PUBLIC_KEY_PINS 'Public-Key-Pins' humhub\modules\web\security\models\SecuritySettings
HEADER_REFERRER_POLICY 'Referrer-Policy' humhub\modules\web\security\models\SecuritySettings
HEADER_STRICT_TRANSPORT_SECURITY 'Strict-Transport-Security' humhub\modules\web\security\models\SecuritySettings
HEADER_X_CONTENT_TYPE 'X-Content-Type-Options' humhub\modules\web\security\models\SecuritySettings
HEADER_X_FRAME_OPTIONS 'X-Frame-Options' humhub\modules\web\security\models\SecuritySettings
HEADER_X_PERMITTED_CROSS_DOMAIN_POLICIES 'X-Permitted-Cross-Domain-Policies' humhub\modules\web\security\models\SecuritySettings
HEADER_X_XSS_PROTECTION 'X-XSS-Protection' humhub\modules\web\security\models\SecuritySettings

Property Details

$cspSection public property

Defines the csp settings key

public string $cspSection 'csp'

Method Details

getCSPHeader() public method

Helper function for receiving the Content-Security-Policy header which is either generated from the csp section of the security config if given, or may be defined in the header section of the configuration directly.

Note: If the csp configuration section is given, the Content-Security-Policy of the header section will be ignored.

public null|string getCSPHeader ( )
throws Exception
getCSPHeaderKeys() public method

Returns the header keys for the csp header, this are either report-only or normal csp header keys with respect of old browsers.

public array getCSPHeaderKeys ( )
getHeader() public method

Can be used to get the value of a security header configuration from the config file. The Content-Security-Policy will be generated from the csp configuration section if present, otherwise this function will search this header in the header section.

public null|string getHeader ( $header )
$header
throws Exception
getHeaders() public method

Returns all headers in the headers section of the security configuration

public array getHeaders ( )
hasSection() public method

Checks if the given section is present in the security configuration

public boolean hasSection ( $section )
$section
init() public method

public void init ( )
isCSPHeaderKey() public method

Checks if the given header key is a csp related key

public boolean isCSPHeaderKey ( $header )
$header
isCspReportEnabled() public method

public boolean isCspReportEnabled ( )
return boolean

Checks if reporting is enabled for on the active csp configuration section

isNonceSupportActive() public method

Checks if the currently active security rule activates the script nonce support.

See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.

public boolean isNonceSupportActive ( )
isReportOnlyCSP() public method

Checks if the current csp section should be treated as report-only csp

public boolean isReportOnlyCSP ( )
isReportingEnabled() public static method

public static boolean isReportingEnabled ( )
return boolean

Checks if any csp section has reporting enabled