PHPackages hasanparasteh/helmet - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. hasanparasteh/helmet ActiveLibrary[Security](/categories/security) hasanparasteh/helmet ==================== Helmet.js-style security headers middleware for ReactPHP HTTP. 123PHP Since Dec 7Pushed 5mo agoCompare [ Source](https://github.com/hasanparasteh/reactphp-helmet)[ Packagist](https://packagist.org/packages/hasanparasteh/helmet)[ RSS](/packages/hasanparasteh-helmet/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependenciesVersions (1)Used By (0) Helmet – Security Headers for ReactPHP ====================================== [](#helmet--security-headers-for-reactphp) A fully modular, ReactPHP-native re-implementation of **Helmet.js**. Each security feature is implemented as a separate middleware class, and `HelmetMiddleware` acts as the aggregator—just like the real Helmet. ✨ Features ---------- [](#-features) - CSP (Content Security Policy) - Cross-Origin Policies (COOP / COEP / CORP) - Strict-Transport-Security (HSTS) - Referrer-Policy - X-Frame-Options - X-Content-Type-Options - X-DNS-Prefetch-Control - X-Download-Options - X-Permitted-Cross-Domain-Policies - X-Powered-By removal - X-XSS-Protection (disabled by default, following Helmet.js) - All middleware is **async**, **non-blocking**, and designed for **ReactPHP HTTP servers** 📦 Installation ============== [](#-installation) ``` composer require hasanparasteh/helmet ``` 🚀 Usage with ReactPHP ===================== [](#-usage-with-reactphp) ``` use HP\Helmet\Middleware\Security\Helmet\HelmetMiddleware; use HP\Helmet\Http\MiddlewareDispatcher; use React\Http\HttpServer; use React\Http\Message\Response; $helmet = new HelmetMiddleware([ 'contentSecurityPolicy' => [ 'directives' => [ "default-src" => ["'self'"], "script-src" => ["'self'", "https://cdn.example.com"], ] ], 'referrerPolicy' => ['policy' => 'no-referrer'], 'xPoweredBy' => true ]); $dispatcher = new MiddlewareDispatcher( [$helmet], fn() => new Response(200, ['Content-Type' => 'text/plain'], "Hello secure world") ); $server = new HttpServer($dispatcher); ``` ⚙️ Configuration Options (Full Documentation) ============================================= [](#️-configuration-options-full-documentation) Configuration follows Helmet.js semantics as closely as possible. 1. `contentSecurityPolicy` -------------------------- [](#1-contentsecuritypolicy) Enable or configure CSP. ### Example [](#example) ``` 'contentSecurityPolicy' => [ 'directives' => [ "default-src" => ["'self'"], "script-src" => ["'self'", "cdn.example.com"], ], 'reportOnly' => false ] ``` ### Options [](#options) KeyTypeDefaultDescription`directives`array<string,arraystringnull>`reportOnly`boolfalseSets `Content-Security-Policy-Report-Only` instead of enforcing### Default CSP Directives [](#default-csp-directives) ``` default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests; ``` 2. `crossOriginEmbedderPolicy` ------------------------------ [](#2-crossoriginembedderpolicy) Controls resource isolation (COEP). ### Example [](#example-1) ``` 'crossOriginEmbedderPolicy' => [ 'policy' => 'require-corp' ] ``` ### Options [](#options-1) KeyTypeDefault`policy`stringnullProduces: ``` Cross-Origin-Embedder-Policy: require-corp ``` 3. `crossOriginOpenerPolicy` ---------------------------- [](#3-crossoriginopenerpolicy) Isolation protection (COOP). ### Example [](#example-2) ``` 'crossOriginOpenerPolicy' => [ 'policy' => 'same-origin' ] ``` ### Options [](#options-2) KeyTypeDefault`policy`stringnullProduces: ``` Cross-Origin-Opener-Policy: same-origin ``` 4. `crossOriginResourcePolicy` ------------------------------ [](#4-crossoriginresourcepolicy) Restrict which origins can load your resources (CORP). ### Example [](#example-3) ``` 'crossOriginResourcePolicy' => [ 'policy' => 'same-origin' ] ``` ### Options [](#options-3) KeyTypeDefault`policy`stringnull5. `originAgentCluster` ----------------------- [](#5-originagentcluster) Enables browser origin-keyed agent clusters. ### Example [](#example-4) ``` 'originAgentCluster' => true ``` Produces: ``` Origin-Agent-Cluster: ?1 ``` 6. `referrerPolicy` ------------------- [](#6-referrerpolicy) ### Example [](#example-5) ``` 'referrerPolicy' => [ 'policy' => 'no-referrer' ] ``` ### Options [](#options-4) KeyTypeDefault`policy`stringnull7. `strictTransportSecurity` / `hsts` ------------------------------------- [](#7-stricttransportsecurity--hsts) HSTS config. Example: ``` 'strictTransportSecurity' => [ 'maxAge' => 31536000, 'includeSubDomains' => true, 'preload' => false ] ``` Options: KeyTypeDefault`maxAge`int`15552000` (180 days)`includeSubDomains`bool`true``preload`bool`false`Produces: ``` Strict-Transport-Security: max-age=15552000; includeSubDomains ``` Aliases: - `hsts` - `strictTransportSecurity`(Only one allowed—both → error) 8. `xContentTypeOptions` / `noSniff` ------------------------------------ [](#8-xcontenttypeoptions--nosniff) Control MIME type sniffing. Examples: ``` 'xContentTypeOptions' => true // or 'noSniff' => true ``` Output: ``` X-Content-Type-Options: nosniff ``` Alias rules: - Only **one** of `xContentTypeOptions` or `noSniff` allowed. 9. `xDnsPrefetchControl` / `dnsPrefetchControl` ----------------------------------------------- [](#9-xdnsprefetchcontrol--dnsprefetchcontrol) Example: ``` 'dnsPrefetchControl' => ['allow' => false] ``` Options: KeyTypeDefault`allow`bool`false`Output: ``` X-DNS-Prefetch-Control: off ``` 10. `xDownloadOptions` / `ieNoOpen` ----------------------------------- [](#10-xdownloadoptions--ienoopen) Prevents file download attacks in IE. Enable: ``` 'xDownloadOptions' => true ``` Output: ``` X-Download-Options: noopen ``` 11. `xFrameOptions` / `frameguard` ---------------------------------- [](#11-xframeoptions--frameguard) Example: ``` 'xFrameOptions' => [ 'action' => 'DENY' ] ``` Options: KeyTypeDefault`action``"DENY"``"SAMEORIGIN"`Output: ``` X-Frame-Options: SAMEORIGIN ``` 12. `xPermittedCrossDomainPolicies` ----------------------------------- [](#12-xpermittedcrossdomainpolicies) Example: ``` 'xPermittedCrossDomainPolicies' => [ 'policy' => 'none' ] ``` Options: KeyTypeDefault`policy`string`"none"`Output: ``` X-Permitted-Cross-Domain-Policies: none ``` 13. `xPoweredBy` / `hidePoweredBy` ---------------------------------- [](#13-xpoweredby--hidepoweredby) True = remove “X-Powered-By”. Example: ``` 'xPoweredBy' => true ``` Removes: ``` X-Powered-By: PHP/8.x ``` If you **disable**: ``` 'xPoweredBy' => false ``` It will NOT remove the header. 14. `xXssProtection` / `xssFilter` ---------------------------------- [](#14-xxssprotection--xssfilter) Modern Helmet disables this (it's deprecated/broken in browsers). Example: ``` 'xXssProtection' => true ``` Always outputs: ``` X-XSS-Protection: 0 ``` Alias rules same as Helmet.js. 🧩 Full Option Map ================= [](#-full-option-map) Helmet.js OptionHP Helmet OptionDefaultcontentSecurityPolicycontentSecurityPolicyenabledcrossOriginOpenerPolicycrossOriginOpenerPolicyenabledcrossOriginEmbedderPolicycrossOriginEmbedderPolicydisabledcrossOriginResourcePolicycrossOriginResourcePolicyenabledoriginAgentClusteroriginAgentClusterenabledreferrerPolicyreferrerPolicyenabledstrictTransportSecurity / hstsstrictTransportSecurityenablednoSniffxContentTypeOptionsenableddnsPrefetchControlxDnsPrefetchControlenabledieNoOpenxDownloadOptionsenabledframeguardxFrameOptionsenabledpermittedCrossDomainPoliciesxPermittedCrossDomainPoliciesenabledhidePoweredByxPoweredByenabledxssFilterxXssProtectionenabled (sets to 0)🧱 Architecture Overview ======================= [](#-architecture-overview) ``` HelmetMiddleware ↳ ContentSecurityPolicyMiddleware ↳ CrossOriginOpenerPolicyMiddleware ↳ CrossOriginEmbedderPolicyMiddleware ↳ CrossOriginResourcePolicyMiddleware ↳ OriginAgentClusterMiddleware ↳ ReferrerPolicyMiddleware ↳ StrictTransportSecurityMiddleware ↳ XContentTypeOptionsMiddleware ↳ XDnsPrefetchControlMiddleware ↳ XDownloadOptionsMiddleware ↳ XFrameOptionsMiddleware ↳ XPermittedCrossDomainPoliciesMiddleware ↳ XPoweredByMiddleware ↳ XXssProtectionMiddleware ``` Each sub-middleware: - Accepts `(ServerRequestInterface $req, callable $next)` - Returns `Promise` - Mutates headers only in the **response** ### Health Score 19 — LowBetter than 10% of packages Maintenance50 Moderate activity, may be stable Popularity8 Limited adoption so far Community2 Small or concentrated contributor base Maturity12 Early-stage or recently created project How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://www.gravatar.com/avatar/99dccdfb9647f7c9902fad56c74afafb09bacf7adec9605817ed7b24941fd4fd?d=identicon)[hasanparasteh](/maintainers/hasanparasteh) ### Embed Badge ![Health badge](/badges/hasanparasteh-helmet/health.svg) ``` [![Health](https://phpackages.com/badges/hasanparasteh-helmet/health.svg)](https://phpackages.com/packages/hasanparasteh-helmet) ``` ### Alternatives [defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[roave/security-advisories Prevents installation of composer packages with known security vulnerabilities: no API, simply require it 2.9k97.3M6.4k](/packages/roave-security-advisories)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php Realistic password strength estimation PHP library based on Zxcvbn JS 86917.5M63](/packages/bjeavons-zxcvbn-php)[enlightn/security-checker A PHP dependency vulnerabilities scanner based on the Security Advisories Database. 33732.2M110](/packages/enlightn-security-checker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)