jcaillot / owasp-headers
Laravel middleware. Adds OWASP recommended headers to the response,
Requires
- php: ^7.4 || ^8.0
- laravel/framework: ^5.2 || ^6.0 || ^7.0 || ^8.0
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3.1
- phpstan/phpstan: ^0.12.98
- phpunit/phpunit: ^9.5
README
OWASP header middleware for the Laravel framework
Laravel middleware. Adds OWASP recommended headers to the response
Prerequisites
Laravel >= 5.2
Installation
1. install library
composer require jcaillot/owasp-headers
2. Edit the config file
copy ./vendor/jcaillot/owasp-headers/config/owasp-headers-example.php
to ./config/owasp-headers-php
in your app config directory:
php -r "copy( 'vendor/jcaillot/owasp-headers/config/owasp-headers-example.php', 'config/owasp-headers.php');"
Do not hesitate to edit your version of ./config/owasp-headers.php
in order to fine-tune the OWASP recommended
headers. CAUTION: Headers like: HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP) need a special
attention in order not to cause any incident. Here is the default list of headers that will be added to the response:
return [ 'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload', # Prevents the browser from interpreting files as something else than declared by the content type: 'X-Content-Type-Option' => 'nosniff', 'Content-Type' => 'text/html; charset=utf-8', # Enables the Cross-site scripting (XSS) filter in the browser: 'X-XSS-Protection' => '1; mode=block', # The browser must not display the transmitted content in frames: 'X-Frame-Options' => 'DENY', # No XML policy file( (for Flash or Acrobat) allowed: # see https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html 'X-Permitted-Cross-Domain-Policies' => 'none', # Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included: 'Referrer-Policy' => 'same-origin', # Content Security Policy (CSP) requires careful tuning # see https://csp-evaluator.withgoogle.com # example: 'Content-Security-Policy' => 'default-src \'self\'; img-src \'self\'; script-src \'self\'; frame-ancestors \'none\'', 'Content-Security-Policy' => 'frame-ancestors \'none\'', # Selectively enable and disable use of various browser features and APIs 'Feature-Policy' => 'camera: \'none\'; payment: \'none\'; microphone: \'none\'', ];
3. Declare the middleware in Kernel
in app/Kernel.php
, you can declare the middleware globally. All responses will be affected:
protected $middleware = [ ... \Chaman\Http\Middleware\OwaspHeaders::class, ];
alternatively, you can declare it as a route middleware and associate it on a route basis:
protected routeMiddleware = [ ... 'owasp.headers' => \Chaman\Http\Middleware\OwaspHeaders::class, ];
And apply it later on on any route (in routes/web.php
):
Route::get('/home', function () { ... })->middleware('owasp.headers');
About OWASP recommender headers
More infos on OWASP recommended headers can be found on the OWASP Secure Headers Project Wiki: