mikefrancis/laravel-secureheaders

SecureHeaders wrapper for Laravel.

Laravel SecureHeaders

, _(*1)

SecureHeaders wrapper for Laravel., _(*2)

Based on aidantwoods/SecureHeaders., _(*3)

Installation

Require the mikefrancis/laravel-secureheaders package in your composer.json and update your dependencies:, _(*4)

composer require mikefrancis/laravel-secureheaders

If you are using Laravel 5.5+, package discovery is enabled. For Laravel 5.4, add the service provider to your config/app.php providers array:, _(*5)

MikeFrancis\LaravelSecureHeaders\ServiceProvider::class,

Usage

To add more secure headers to your entire application, add the ApplySecureHeaders middleware in the $middleware property of app/Http/Kernel.php class:, _(*6)

protected $middleware = [
    // ...
    \MikeFrancis\LaravelSecureHeaders\ApplySecureHeaders::class,
];

Configuration

Some sensible defaults have been set in config/secure-headers.php but if you'd like to change these, copy the file to your own application's config using the following command:, _(*7)

php artisan vendor:publish --provider="MikeFrancis\LaravelSecureHeaders\ServiceProvider"

A typical configuration might look like this:, _(*8)

<?php

return [
    // Safe Mode
    'safeMode' => false,

    // HSTS Strict-Transport-Security
    'hsts' => [
        'enabled' => true,
    ],

    // Content Security Policy
    'csp' => [
        'default' => [
            'self',
        ],
        'img-src' => [
            '*', // Allow images from anywhere
        ],
        'style-src' => [
            'self',
            'unsafe-inline', // Allow inline styles
            'https://fonts.googleapis.com', // Allow stylesheets from Google Fonts
        ],
        'font-src' => [
            'self',
            'https://fonts.gstatic.com', // Allow fonts from the Google Fonts CDN
        ],
    ],
];

For a full reference of Content Security Policy directives and their values, see content-security-policy.com., _(*9)