PHPackages                             hyperia/yii2-secure-headers - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. hyperia/yii2-secure-headers

ActiveYii2-extension[Security](/categories/security)

hyperia/yii2-secure-headers
===========================

Secure headers for your Yii2 app

3.0(1y ago)21206.7k↓45.8%9[2 issues](https://github.com/hyperia-sk/yii2-secure-headers/issues)[1 PRs](https://github.com/hyperia-sk/yii2-secure-headers/pulls)MITPHPPHP &gt;=7.2

Since Jun 17Pushed 1y ago2 watchersCompare

[ Source](https://github.com/hyperia-sk/yii2-secure-headers)[ Packagist](https://packagist.org/packages/hyperia/yii2-secure-headers)[ RSS](/packages/hyperia-yii2-secure-headers/feed)WikiDiscussions master Synced 3d ago

READMEChangelog (10)Dependencies (3)Versions (25)Used By (0)

Yii2 security headers extension
===============================

[](#yii2-security-headers-extension)

[![Build Status](https://camo.githubusercontent.com/9aab83c7e558632844b542d14045fc1423852ccb2806a330a89313f413a44ac5/68747470733a2f2f7472617669732d63692e6f72672f687970657269612d736b2f796969322d7365637572652d686561646572732e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/hyperia-sk/yii2-secure-headers)[![codecov](https://camo.githubusercontent.com/c892b4591fa447d748c366b8b6c6f17a215840bc20fb7d5de1910fd704e0b288/68747470733a2f2f636f6465636f762e696f2f67682f687970657269612d736b2f796969322d7365637572652d686561646572732f6272616e63682f6d61737465722f67726170682f62616467652e737667)](https://codecov.io/gh/hyperia-sk/yii2-secure-headers)[![GitHub license](https://camo.githubusercontent.com/7013272bd27ece47364536a221edb554cd69683b68a46fc0ee96881174c4214c/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d626c75652e737667)](https://raw.githubusercontent.com/hyperia-sk/yii2-secure-headers/master/LICENSE)[![Latest Stable Version](https://camo.githubusercontent.com/c5ab429f1056bd3c688a06429cbb2d412db07a06ab5c3f73215a916384f0e27a/68747470733a2f2f706f7365722e707567782e6f72672f687970657269612f796969322d7365637572652d686561646572732f762f737461626c65)](https://packagist.org/packages/hyperia/yii2-secure-headers)

> Add security related headers to HTTP response. The package includes extension for easy Yii2 integration.

Installation
------------

[](#installation)

The preferred way to install this extension is through [composer](http://getcomposer.org/download/).

Either run

```
composer require hyperia/yii2-secure-headers:"^2.0"
```

or add

```
"hyperia/yii2-secure-headers": "^2.0"

```

to the require section of your composer.json.

Configuration (usage)
---------------------

[](#configuration-usage)

```
'bootstrap'  => [..., 'headers'],
'components' => [
    ...
    'headers' => [
        'class' => '\hyperia\security\Headers',
        'upgradeInsecureRequests' => true,
        'blockAllMixedContent' => true,
        'requireSriForScript' => false,
        'requireSriForStyle' => false,
        'xssProtection' => true,
        'contentTypeOptions' => true,
        'strictTransportSecurity' => [
            'max-age' => 10,
            'includeSubDomains' => true,
            'preload' => false
        ],
        'xFrameOptions' => 'DENY',
        'xPoweredBy' => 'Hyperia',
        'referrerPolicy' => 'no-referrer',
        'reportOnlyMode' => false
        'reportUri' => 'https://company.report-uri.com/r/d/csp/enforce',
        'reportTo' => [
            [
                'group' => 'groupName',
                'max_age' => 10886400,
                'endpoints' => [
                    [
                        'name' => 'endpointName',
                        'url' => 'https://example.com',
                        'failures' => 1
                    ]
                ]
            ]
        ]
        'cspDirectives' => [
            'connect-src' => "'self'",
            'font-src' => "'self'",
            'frame-src' => "'self'",
            'img-src' => "'self' data:",
            'manifest-src' => "'self'",
            'object-src' => "'self'",
            'prefetch-src' => false,
            'script-src' => "'self' 'unsafe-inline'",
            'style-src' => "'self' 'unsafe-inline'",
            'media-src' => "'self'",
            'form-action' => "'self'",
            'worker-src' => "'self'",
            'report-to' => 'groupname'
        ],
        // Deprecated. Use Permissions Policy instead.
        'featurePolicyDirectives' => [
            'accelerometer' => "'self'",
            'ambient-light-sensor' => "'self'",
            'autoplay' => "'self'",
            'battery' => "'self'",
            'camera' => "'self'",
            'display-capture' => "'self'",
            'document-domain' => "'self'",
            'encrypted-media' => "'self'",
            'fullscreen' => "'self'",
            'geolocation' => "'self'",
            'gyroscope' => "'self'",
            'layout-animations' => "'self'",
            'magnetometer' => "'self'",
            'microphone' => "'self'",
            'midi' => "'self'",
            'oversized-images' => "'self'",
            'payment' => "'self'",
            'picture-in-picture' => "*",
            'publickey-credentials-get' => "'self'",
            'sync-xhr' => "'self'",
            'usb' => "'self'",
            'wake-lock' => "'self'",
            'xr-spatial-tracking' => "'self'"
        ],
        'permissionsPolicyDirectives' => [
            'accelerometer' => "self",
            'ambient-light-sensor' => "self",
            'autoplay' => "self",
            'battery' => "self",
            'camera' => "self",
            'display-capture' => "self",
            'document-domain' => "self",
            'encrypted-media' => "self",
            'fullscreen' => "self",
            'geolocation' => "self",
            'gyroscope' => "self",
            'layout-animations' => "self",
            'magnetometer' => "self",
            'microphone' => "self",
            'midi' => "self",
            'oversized-images' => "self",
            'payment' => "self",
            'picture-in-picture' => "*",
            'publickey-credentials-get' => "self",
            'sync-xhr' => "self",
            'usb' => "self",
            'wake-lock' => "self",
            'xr-spatial-tracking' => "self"
        ]
    ]
]
```

Parameter description
---------------------

[](#parameter-description)

Source ValueExampleDescription\*img-src \*Wildcard, allows any URL except data: blob: filesystem: schemes.'none'object-src 'none'Prevents loading resources from any source.'self'script-src 'self'Allows loading resources from the same origin (same scheme, host and port).data:img-src 'self' data:Allows loading resources via the data scheme (eg Base64 encoded images).domain.example.comimg-src domain.example.comAllows loading resources from the specified domain name.\*.example.comimg-src \*.example.comAllows loading resources from any subdomain under example.com.img-src Allows loading resources only over HTTPS matching the given domain.https:img-src https:Allows loading resources only over HTTPS on any domain.'unsafe-inline'script-src 'unsafe-inline'Allows use of inline source elements such as style attribute, onclick, or script tag bodies (depends on the context of the source it is applied to)'unsafe-eval'script-src 'unsafe-eval'Allows unsafe dynamic code evaluation such as JavaScript eval()falseprefetch-src falseExclude the property from the directive array to avoid deprecated warning/error from browsers#### Policy

[](#policy)

Each header has a reference link in config file, you should read it if you do not know the header. If you want to disable a string type header, just set to null or empty string.

#### Content Security Policy

[](#content-security-policy)

We use paragonie/csp-builder to help us support csp header. If you want to disable csp header, set custom-csp to empty string.

#### Subresource Integrity

[](#subresource-integrity)

If you want to require subresource integrity for style and script sources set `requireSriForStyle` and `requireSriForScript` to `true`

#### Feature Policy

[](#feature-policy)

**Deprecated. Use Permissions Policy instead.** Feature Policy is being created to allow site owners to enable and disable certain web platform features on their own pages and those they embed. Use same directives as for CSP

#### Permissions Policy

[](#permissions-policy)

Permissions Policy is new policy which will replace Feature Policy

#### Additional Resources

[](#additional-resources)

[Everything you need to know about HTTP security headers](https://blog.appcanary.com/2017/http-security-headers.html)

###  Health Score

47

—

FairBetter than 93% of packages

Maintenance40

Moderate activity, may be stable

Popularity44

Moderate usage in the ecosystem

Community21

Small or concentrated contributor base

Maturity68

Established project with proven stability

 Bus Factor2

2 contributors hold 50%+ of commits

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~157 days

Recently: every ~339 days

Total

19

Last Release

472d ago

Major Versions

1.2.0 → v2.x-dev2020-06-30

2.1.0 → v3.x-dev2021-06-30

2.3 → 3.02025-03-17

PHP version history (2 changes)v2.x-devPHP ^7.2

2.2PHP &gt;=7.2

### Community

Maintainers

![](https://www.gravatar.com/avatar/6ac9bdd7b00d31612964e78d32fde2b346252671da0706c9ff3bc797e5e647b9?d=identicon)[arzzen](/maintainers/arzzen)

![](https://avatars.githubusercontent.com/u/20645707?v=4)[Hyperia s.r.o.](/maintainers/hyperia-sk)[@hyperia-sk](https://github.com/hyperia-sk)

![](https://avatars.githubusercontent.com/u/17579408?v=4)[Lukáš Hrdlička](/maintainers/karster)[@karster](https://github.com/karster)

---

Top Contributors

[![arzzen](https://avatars.githubusercontent.com/u/6382002?v=4)](https://github.com/arzzen "arzzen (23 commits)")[![karster](https://avatars.githubusercontent.com/u/17579408?v=4)](https://github.com/karster "karster (22 commits)")[![niciz](https://avatars.githubusercontent.com/u/7879049?v=4)](https://github.com/niciz "niciz (5 commits)")[![janki1](https://avatars.githubusercontent.com/u/2636233?v=4)](https://github.com/janki1 "janki1 (2 commits)")[![rudolfkrupa](https://avatars.githubusercontent.com/u/1222274?v=4)](https://github.com/rudolfkrupa "rudolfkrupa (2 commits)")[![morawskim](https://avatars.githubusercontent.com/u/1105278?v=4)](https://github.com/morawskim "morawskim (1 commits)")[![lmacko](https://avatars.githubusercontent.com/u/788962?v=4)](https://github.com/lmacko "lmacko (1 commits)")[![jurajkalafut](https://avatars.githubusercontent.com/u/16917831?v=4)](https://github.com/jurajkalafut "jurajkalafut (1 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (1 commits)")

---

Tags

headershttpssecuresecure-headerssecuritysubresource-integrityyiiyii2yii2-extensionheaderssecureyii2extension

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/hyperia-yii2-secure-headers/health.svg)

```
[![Health](https://phpackages.com/badges/hyperia-yii2-secure-headers/health.svg)](https://phpackages.com/packages/hyperia-yii2-secure-headers)
```

###  Alternatives

[craftcms/cms

Craft CMS

3.6k3.6M3.1k](/packages/craftcms-cms)[aidantwoods/secureheaders

A PHP class aiming to make the use of browser security features more accessible.

434731.2k2](/packages/aidantwoods-secureheaders)[skeeks/cms

SkeekS CMS — control panel and tools based on php framework Yii2

13825.8k59](/packages/skeeks-cms)[nickcv/yii2-encrypter

Openssl Encrypter for Yii2

19680.1k1](/packages/nickcv-yii2-encrypter)[juliardi/yii2-captcha

Captcha library wrapper for Yii2

168.6k](/packages/juliardi-yii2-captcha)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
