├── LICENSE ├── README.md └── application └── config └── hooks.php /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Mehdi Bounya 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | > :warning: I no longer maintaing this project, if you have access to the server add these headers and redirections early on before the request even reaches the application 2 | 3 | Codeigniter-SSLHook 4 | ============================ 5 | 6 | This hook will automatically redirect to the HTTPS version of your website and set the appropriate headers. 7 | 8 | 9 | Installation 10 | ----------------- 11 | Make sure your `base_url` starts with `https` 12 | 13 | Copy `/application/config/hooks.php` into your `application`'s folder. 14 | If you have other hooks copy the content of `/application/config/hooks.php` to your `hooks.php` file. 15 | 16 | Enable hooks by modifying your `/application/config/config.php`, set `enable_hooks` to `TRUE`: 17 | ```php 18 | /* 19 | |-------------------------------------------------------------------------- 20 | | Enable/Disable System Hooks 21 | |-------------------------------------------------------------------------- 22 | | 23 | | If you would like to use the 'hooks' feature you must enable it by 24 | | setting this variable to TRUE (boolean). See the user guide for details. 25 | | 26 | */ 27 | $config['enable_hooks'] = TRUE; 28 | ``` 29 | 30 | How does it work? 31 | ----------------- 32 | The hook will: 33 | - Redirect to the HTTPS version if accessed from a non-secure connection. 34 | - Make cookies only accessible via HTTPS (no JavaScript) 35 | - Set the following headers: 36 | - `Strict-Transport-Security: max-age=2629800` 37 | - `X-Content-Type-Options: nosniff` 38 | - `Referrer-Policy: strict-origin` 39 | - `X-Frame-Options: DENY` 40 | - `X-XSS-Protection: 1; mode=block` 41 | -------------------------------------------------------------------------------- /application/config/hooks.php: -------------------------------------------------------------------------------- 1 | config->set_item('cookie_secure', TRUE); 24 | $CI->config->set_item('cookie_httponly', TRUE); 25 | 26 | // Set headers 27 | $CI->output->set_header("Strict-Transport-Security: max-age=2629800")// Force future requests to be over HTTPS (max-age is set to 1 month 28 | ->set_header("X-Content-Type-Options: nosniff") // Disable MIME type sniffing 29 | ->set_header("Referrer-Policy: strict-origin") // Only allow referrers to be sent withing the website 30 | ->set_header("X-Frame-Options: DENY") // Frames are not allowed 31 | ->set_header("X-XSS-Protection: 1; mode=block"); // Enable XSS protection in browser 32 | }; 33 | --------------------------------------------------------------------------------