amreljako/laravel-secure-headers

Laravel package to add essential HTTP Security Headers.

Maintainers

Package info

github.com/amreljako/laravel-secure-headers

pkg:composer/amreljako/laravel-secure-headers

Statistics

Installs: 0

Dependents: 0

Suggesters: 0

Stars: 1

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

v1.0.0 2025-09-15 13:52 UTC

Requires

MIT bd555d21bf19adc0c2fc4db780a3f2426c5424b2

  • Amr Eljako <amreljako.woop@example.com>

This package is auto-updated.

Last update: 2026-03-15 14:59:41 UTC

README

A lightweight Laravel package that automatically adds essential HTTP Security Headers to enhance your application's security and performance.

Installation

Require the package via Composer:

composer require amreljako/laravel-secure-headers

Publish Config

Publish the configuration file to your application:

php artisan vendor:publish --provider="Amreljako\SecureHeaders\SecureHeadersServiceProvider" --tag=config

This will create the following file in your project:

config/secure-headers.php

Usage

Register the middleware in app/Http/Kernel.php:

protected $middleware = [
    \Amreljako\SecureHeaders\Middleware\SecureHeadersMiddleware::class,
];

Once registered, the middleware will automatically apply security headers to all HTTP responses.

Configuration

You can customize the headers in config/secure-headers.php:

return [
    'X-Frame-Options' => 'DENY',
    'X-Content-Type-Options' => 'nosniff',
    'X-XSS-Protection' => '1; mode=block',
    'Referrer-Policy' => 'no-referrer-when-downgrade',
    'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload',
    'Content-Security-Policy' => "default-src 'self'; img-src 'self' https://trusted-cdn.com; script-src 'self' https://apis.google.com",
];

Example Response Headers

After installation, each Laravel response will include headers such as:

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'

Why Use Security Headers?

  • X-Frame-Options → Prevents Clickjacking attacks
  • X-Content-Type-Options → Blocks MIME type sniffing
  • X-XSS-Protection → Adds basic browser XSS protection (legacy)
  • Referrer-Policy → Controls what referrer information is sent with requests
  • Strict-Transport-Security (HSTS) → Enforces secure HTTPS connections
  • Content-Security-Policy (CSP) → Strong protection against XSS and data injection attacks

License

This package is open-sourced software licensed under the MIT license.