1.x to 2.0 migration guide

1.x to 2.0 Migration Guide

Namespace

SecureHeaders now has a namespace, so you should now use the line

use Aidantwoods\SecureHeaders\SecureHeaders;

somewhere, or all the class via the full namespace location.

Removed Methods

• doneOnOutput and done are now applyOnOutput and apply. These new methods allow custom HttpAdapters to be used (so you can integrate more easily with frameworks), but if you supply no arguements the "global" HttpAdaper will be used (i.e. interact directly with PHPs header() and similar functions).

• addHeader has been removed. You should add headers with header() or via your framework now.

• correctHeaderName has been removed. Please ensure your header names are correct.

Be aware of Potentially Breaking Changes

• Strict Mode now includes injecting the SameSite cookie attribute.

• Strict Mode now includes the Expect-CT: max-age=31536000; enforce as a header proposal.

• If you are using PHP 5.3 you'll have to upgrade your PHP installation before you can follow us in to 2.0.

Unlikely to break, but possibly breaking changes:

• New header proposal by default: X-Permitted-Cross-Domain-Policies: none. As a reminder, a header proposal is a header which will be added unless you have explicitly set the header to a different value, or told SecureHeaders to remove it.

• New header proposal by default: Referrer-Policy: strict-origin-when-cross-origin, with a secondary fallback setting as Referrer-Policy: no-referrer (in case that browser does not support the former). As a reminder, a header proposal is a header which will be added unless you have explicitly set the header to a different value, or told SecureHeaders to remove it.