README

Middleware to redirect to https if the request is http and add the Strict Transport Security header to protect against protocol downgrade attacks and cookie hijacking.

Requirements

• PHP >= 7.2
• A PSR-7 http library
• A PSR-15 middleware dispatcher

Installation

This package is installable and autoloadable via Composer as middlewares/https.

composer require middlewares/https

Example

$dispatcher = new Dispatcher([
	(new Middlewares\Https())
		->includeSubdomains()
]);

$response = $dispatcher->dispatch(new ServerRequest());

Usage

This middleware accept a Psr\Http\Message\ResponseFactoryInterface as a constructor argument, to create the redirect responses. If it's not defined, Middleware\Utils\Factory will be used to detect it automatically.

$responseFactory = new MyOwnResponseFactory();

//Detect the response factory automatically
$https = new Middlewares\Https();

//Use a specific factory
$htts = new Middlewares\Https($responseFactory);

maxAge

This option allow to define the value of max-age directive for the Strict-Transport-Security header. By default is 31536000 (1 year).

$threeYears = 31536000 * 3;

$https = (new Middlewares\Https())->maxAge($threeYears);

includeSubdomains

By default, the includeSubDomains directive is not included in the Strict-Transport-Security header. Use this function to change this behavior.

$https = (new Middlewares\Https())->includeSubdomains();

preload

By default, the preload directive is not included in the Strict-Transport-Security header. Use this function to change this behavior.

$https = (new Middlewares\Https())->preload();

checkHttpsForward

Enabling this option ignore requests containing the header X-Forwarded-Proto: https or X-Forwarded-Port: 443. This is specially useful if the site is behind a https load balancer.

$https = (new Middlewares\Https())->checkHttpsForward();

redirect

This option returns a redirection response from http to https. It's enabled by default.

//Disable redirections
$https = (new Middlewares\Https())->redirect(false);

Please see CHANGELOG for more information about recent changes and CONTRIBUTING for contributing details.

The MIT License (MIT). Please see LICENSE for more information.