SilverStripe module for easily adding a selection of useful HTTP headers.
Comes with a default set of headers configured, but can be used to add any headers you wish.
Install via composer:
composer require guttmann/silverstripe-security-headers 1.0.*
SecurityHeaderControllerExtension to the controller of your choice.
For example, add this to your
Page_Controller: extensions: - Guttmann\SilverStripe\SecurityHeaderControllerExtension
Configure header values to suit your site, it's important your config is loaded after the security-headers module's config.
For example, your
mysite/_config/config.yml file might look like this:
--- Name: mysite After: - 'framework/*' - 'cms/*' - 'security-headers/*' --- Guttmann\SilverStripe\SecurityHeaderControllerExtension: headers: Content-Security-Policy: "default-src 'self' *.google-analytics.com;" Strict-Transport-Security: "max-age=2592000"
I am not a security expert - the default header values used in this module are based on advice I have received from a number of sources.
They are not set in stone and if you see any issues please send me a pull request.