[PHP] Header for website security policy

<?php

	//prevent GET/POST getting script impact
	if(!function_exists('cleanData')){
	    function cleanData($data){
	        $data = htmlspecialchars($data,ENT_QUOTES,'UTF-8');
	        return $data;
	    }
	}
	if(isset($_GET)){
	    foreach ($_GET as $key=>$val){
	    	$_GET[$key] = cleanData($val);
	    }
	}
	if(isset($_POST)){
	    foreach ($_POST as $key=>$val){
	    	$_POST[$key] = cleanData($val);
	    }
	}

?>

<?php

	header("X-Content-Type-Options: nosniff");
	header("X-XSS-Protection: 1; mode=block");
	header("Permissions-Policy: camera=(), fullscreen=self, geolocation=*, microphone=(self)");

	//Allow below domain embed this link into iframe
	$arrUrl = [
		"www.allowedIframeThisLinkDomain1.com",
		"www.allowedIframeThisLinkDomain2.com",
		"www.allowedIframeThisLinkDomain3.com",
	];
	//Support IE
	if(count($arrUrl)>0){
		foreach ($arrUrl as $url) {
			header("X-Frame-Options: allow-from https://".$url);
			header("X-Frame-Options: allow-from http://".$url);
		}
	}else{
		if( canEmbedInSelfDomainname ){
			header("X-Frame-Options: SAMEORIGIN");
		}else{
			header("X-Frame-Options: DENY");
		}
	}
	//Support Chrome, Safari, Firefox
        //detail please go to https://www.neverj.com/content-security-policy-csp/
	if(count($arrUrl)>0){
		header("Content-Security-Policy: default-src 'self' *.firebase.com *.google-api.com; frame-ancestors ".implode(" ", $arrUrl).";");
	}else{
		header("Content-Security-Policy: default-src 'self' *.firebase.com *.google-api.com");
	}

?>

<?php

//prevent GET/POST getting script impact

if(!function_exists('cleanData')){

function cleanData($data){

$data = htmlspecialchars($data,ENT_QUOTES,'UTF-8');

return $data;

}

if(isset($_GET)){

foreach ($_GET as $key=>$val){

$_GET[$key] = cleanData($val);

}

if(isset($_POST)){

foreach ($_POST as $key=>$val){

$_POST[$key] = cleanData($val);

}

<?php

header("X-Content-Type-Options: nosniff");

header("X-XSS-Protection: 1; mode=block");

header("Permissions-Policy: camera=(), fullscreen=self, geolocation=*, microphone=(self)");

//Allow below domain embed this link into iframe

$arrUrl = [

"www.allowedIframeThisLinkDomain1.com",

"www.allowedIframeThisLinkDomain2.com",

"www.allowedIframeThisLinkDomain3.com",

];

//Support IE

if(count($arrUrl)>0){

foreach ($arrUrl as $url) {

header("X-Frame-Options: allow-from https://".$url);

header("X-Frame-Options: allow-from http://".$url);

}

}else{

if( canEmbedInSelfDomainname ){

header("X-Frame-Options: SAMEORIGIN");

}else{

header("X-Frame-Options: DENY");

}

//Support Chrome, Safari, Firefox

//detail please go to https://www.neverj.com/content-security-policy-csp/

if(count($arrUrl)>0){

header("Content-Security-Policy: default-src 'self' *.firebase.com *.google-api.com; frame-ancestors ".implode(" ", $arrUrl).";");

}else{

header("Content-Security-Policy: default-src 'self' *.firebase.com *.google-api.com");

}

About Content-Security-Policy please go to Content Security Policy (CSP)

Set secure header faster template For response json

<?php
    header('Content-Type: application/json');
    header('X-Frame-Options: SAMEORIGIN');
    header('X-XSS-Protection: 1; mode=block');
    header('X-Content-Type-Options: nosniff');
    header('Expect-CT: max-age=86400');
    header('Access-Control-Allow-Origin: '.(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'] );
    header('Strict-Transport-Security: maxage=3600');
    header('Access-Control-Allow-Methods: GET');
    header('Cache-Control: no-store');
    header('Pragma: no-cache');
    header('Referrer-Policy: no-referrer');
    header('Permissions-Policy: geolocation=self');
    header("Content-Security-Policy: default-src 'self'");
    //redirect to https
    if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'http' && $_SERVER['HTTP_X_FORWARDED_PORT'] == '80'){
        header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
        exit;
    }
?>

Set secure header faster template For response json

<?php

header('Content-Type: application/json');

header('X-Frame-Options: SAMEORIGIN');

header('X-XSS-Protection: 1; mode=block');

header('X-Content-Type-Options: nosniff');

header('Expect-CT: max-age=86400');

header('Access-Control-Allow-Origin: '.(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'] );

header('Strict-Transport-Security: maxage=3600');

header('Access-Control-Allow-Methods: GET');

header('Cache-Control: no-store');

header('Pragma: no-cache');

header('Referrer-Policy: no-referrer');

header('Permissions-Policy: geolocation=self');

header("Content-Security-Policy: default-src 'self'");

//redirect to https

if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'http' && $_SERVER['HTTP_X_FORWARDED_PORT'] == '80'){

header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);

exit;

}

Ubuntu install Python3.8

戒丁 . Never J

Ubuntu install Python3.8

[PHP] Header for website security policy

發佈留言取消回覆

發佈留言 取消回覆

發佈留言取消回覆