<?php
//prevent GET/POST getting script impact
if(!function_exists('cleanData')){
function cleanData($data){
$data = htmlspecialchars($data,ENT_QUOTES,'UTF-8');
return $data;
}
}
if(isset($_GET)){
foreach ($_GET as $key=>$val){
$_GET[$key] = cleanData($val);
}
}
if(isset($_POST)){
foreach ($_POST as $key=>$val){
$_POST[$key] = cleanData($val);
}
}
?>
<?php
header("X-Content-Type-Options: nosniff");
header("X-XSS-Protection: 1; mode=block");
header("Permissions-Policy: camera=(), fullscreen=self, geolocation=*, microphone=(self)");
//Allow below domain embed this link into iframe
$arrUrl = [
"www.allowedIframeThisLinkDomain1.com",
"www.allowedIframeThisLinkDomain2.com",
"www.allowedIframeThisLinkDomain3.com",
];
//Support IE
if(count($arrUrl)>0){
foreach ($arrUrl as $url) {
header("X-Frame-Options: allow-from https://".$url);
header("X-Frame-Options: allow-from http://".$url);
}
}else{
if( canEmbedInSelfDomainname ){
header("X-Frame-Options: SAMEORIGIN");
}else{
header("X-Frame-Options: DENY");
}
}
//Support Chrome, Safari, Firefox
//detail please go to https://www.neverj.com/content-security-policy-csp/
if(count($arrUrl)>0){
header("Content-Security-Policy: default-src 'self' *.firebase.com *.google-api.com; frame-ancestors ".implode(" ", $arrUrl).";");
}else{
header("Content-Security-Policy: default-src 'self' *.firebase.com *.google-api.com");
}
?>
About Content-Security-Policy please go to
Content Security Policy (CSP)
Set secure header faster template For response json
<?php
header('Content-Type: application/json');
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('Expect-CT: max-age=86400');
header('Access-Control-Allow-Origin: '.(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'] );
header('Strict-Transport-Security: maxage=3600');
header('Access-Control-Allow-Methods: GET');
header('Cache-Control: no-store');
header('Pragma: no-cache');
header('Referrer-Policy: no-referrer');
header('Permissions-Policy: geolocation=self');
header("Content-Security-Policy: default-src 'self'");
//redirect to https
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'http' && $_SERVER['HTTP_X_FORWARDED_PORT'] == '80'){
header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
exit;
}
?>