mikefrancis / laravel-secureheaders
SecureHeaders wrapper for Laravel.
Requires
- aidantwoods/secureheaders: ^2.0
- illuminate/contracts: >=5.4
- illuminate/http: >=5.4
- illuminate/support: >=5.4
Requires (Dev)
- phpunit/phpunit: ^8.3
- squizlabs/php_codesniffer: ^3.5
README
SecureHeaders wrapper for Laravel.
Based on aidantwoods/SecureHeaders.
Installation
Require the mikefrancis/laravel-secureheaders package in your composer.json and update your dependencies:
composer require mikefrancis/laravel-secureheaders
If you are using Laravel 5.5+, package discovery is enabled. For Laravel 5.4, add the service provider to your config/app.php providers array:
MikeFrancis\LaravelSecureHeaders\ServiceProvider::class,
Usage
To add more secure headers to your entire application, add the ApplySecureHeaders middleware in the $middleware
property of app/Http/Kernel.php class:
protected $middleware = [ // ... \MikeFrancis\LaravelSecureHeaders\ApplySecureHeaders::class, ];
Configuration
Some sensible defaults have been set in config/secure-headers.php but if you'd like to change these, copy the file to your own application's config using the following command:
php artisan vendor:publish --provider="MikeFrancis\LaravelSecureHeaders\ServiceProvider"
A typical configuration might look like this:
<?php return [ // Safe Mode 'safeMode' => false, // HSTS Strict-Transport-Security 'hsts' => [ 'enabled' => true, ], // Content Security Policy 'csp' => [ 'default' => [ 'self', ], 'img-src' => [ '*', // Allow images from anywhere ], 'style-src' => [ 'self', 'unsafe-inline', // Allow inline styles 'https://fonts.googleapis.com', // Allow stylesheets from Google Fonts ], 'font-src' => [ 'self', 'https://fonts.gstatic.com', // Allow fonts from the Google Fonts CDN ], ], ];
For a full reference of Content Security Policy directives and their values, see content-security-policy.com.