jcaillot / laminas-owasp-headers
Laminas listener; adds Owasp headers to the HTTP response
v1.0
2021-10-08 20:56 UTC
Requires
- php: ^7.3 || ~8.0.0
- container-interop/container-interop: ^1.2
- laminas/laminas-di: ^3.2.2
- laminas/laminas-mvc: ^3.1.1
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3.2
- laminas/laminas-developer-tools: ^2.1.1
- laminas/laminas-test: ^3.4.2
- phpstan/phpstan: ^0.12.99
README
OWASP headers Response Listener for the Laminas framework
Laminas MvcEvent::EVENT_RENDER listener, adds OWASP recommended HTTP headers to the HTTP Response
Installation
composer require jcaillot/laminas-owasp-headers
In <Your Module>/config/module.config.php, add the following declarations:
'service_manager' => [ 'invokables' => [ ... \Chaman\Listener\OwaspHeadersListener::class => \Chaman\Listener\OwaspHeadersListener::class ], ], 'listeners' => [ ... \Chaman\Listener\OwaspHeadersListener::class ], 'owasp-headers' => [ # Browsers (or other complying user agents) should only interact with me using secure HTTPS connections: # see https://https.cio.gov/hsts/ 'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload', # Prevents the browser from interpreting files as something else than declared by the content type: 'X-Content-Type-Option' => 'nosniff', 'Content-Type' => 'text/html; charset=utf-8', # Enables the Cross-site scripting (XSS) filter in the browser: 'X-XSS-Protection' => '1; mode=block', # The browser must not display the transmitted content in frames: 'X-Frame-Options' => 'DENY', # No XML policy file( (for Flash or Acrobat) allowed: # see https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html 'X-Permitted-Cross-Domain-Policies' => 'none', # Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included: 'Referrer-Policy' => 'same-origin', # Content Security Policy (CSP) requires careful tuning # see https://csp-evaluator.withgoogle.com # suggested: 'Content-Security-Policy' => 'default-src \'self\'; img-src \'self\'; script-src \'self\'; frame-ancestors \'none\'', 'Content-Security-Policy' => 'frame-ancestors \'none\'', # Selectively enable and disable use of various browser features and APIs 'Feature-Policy' => 'camera: \'none\'; payment: \'none\'; microphone: \'none\'', ],
Open your browser console on the network tab and check the headers are added.
About OWASP recommender headers
More infos on OWASP recommended headers can be found on the OWASP Secure Headers Project Wiki: