jcaillot/laminas-owasp-headers

Laminas listener; adds Owasp headers to the HTTP response

Maintainers

Details

github.com/jcaillot/laminas-owasp-headers

Source

Issues

Installs: 8

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 1

Forks: 0

Open Issues: 0

v1.0 2021-10-08 20:56 UTC

Requires

Requires (Dev)

MIT 6816349f4c94f3692153abc128c5706d8b306d83

headersowasplaminas

This package is auto-updated.

Last update: 2024-04-09 02:24:33 UTC

README

OWASP headers Response Listener for the Laminas framework

Laminas MvcEvent::EVENT_RENDER listener, adds OWASP recommended HTTP headers to the HTTP Response

Installation

composer require jcaillot/laminas-owasp-headers

In <Your Module>/config/module.config.php, add the following declarations:

    'service_manager' => [
            'invokables' => [
                 ...
                 \Chaman\Listener\OwaspHeadersListener::class => \Chaman\Listener\OwaspHeadersListener::class
            ],
     ],
    'listeners' => [
            ...
            \Chaman\Listener\OwaspHeadersListener::class
    ],
   
    
    'owasp-headers' => [
        # Browsers (or other complying user agents) should only interact with me using secure HTTPS connections:
        # see https://https.cio.gov/hsts/
        'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload',
        # Prevents the browser from interpreting files as something else than declared by the content type:
        'X-Content-Type-Option' => 'nosniff',
        'Content-Type' => 'text/html; charset=utf-8',
        # Enables the Cross-site scripting (XSS) filter in the browser:
        'X-XSS-Protection' => '1; mode=block',
        # The browser must not display the transmitted content in frames:
        'X-Frame-Options' => 'DENY',
        # No XML policy file( (for Flash or Acrobat) allowed:
        # see https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
        'X-Permitted-Cross-Domain-Policies' => 'none',
        # Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included:
        'Referrer-Policy' => 'same-origin',
        # Content Security Policy (CSP) requires careful tuning
        # see https://csp-evaluator.withgoogle.com
        # suggested: 'Content-Security-Policy' => 'default-src \'self\'; img-src \'self\'; script-src \'self\'; frame-ancestors \'none\'',
        'Content-Security-Policy' => 'frame-ancestors \'none\'',
        # Selectively enable and disable use of various browser features and APIs
        'Feature-Policy' => 'camera: \'none\'; payment: \'none\'; microphone: \'none\'',

    ],

Open your browser console on the network tab and check the headers are added.

About OWASP recommender headers

More infos on OWASP recommended headers can be found on the OWASP Secure Headers Project Wiki:

OWASP

License

MIT