SecureHeaders wrapper for Laravel.
Based on aidantwoods/SecureHeaders.
Require the mikefrancis/laravel-secureheaders package in your composer.json and update your dependencies:
composer require mikefrancis/laravel-secureheadersIf you are using Laravel 5.5+, package discovery is enabled. For Laravel 5.4, add the service provider to your config/app.php providers array:
MikeFrancis\LaravelSecureHeaders\ServiceProvider::class,To add more secure headers to your entire application, add the ApplySecureHeaders middleware in the $middleware
property of app/Http/Kernel.php class:
protected $middleware = [
// ...
\MikeFrancis\LaravelSecureHeaders\ApplySecureHeaders::class,
];Some sensible defaults have been set in config/secure-headers.php but if you'd like to change these, copy the file to your own application's config using the following command:
php artisan vendor:publish --provider="MikeFrancis\LaravelSecureHeaders\ServiceProvider"A typical configuration might look like this:
<?php
return [
// Safe Mode
'safeMode' => false,
// HSTS Strict-Transport-Security
'hsts' => [
'enabled' => true,
],
// Content Security Policy
'csp' => [
'default' => [
'self',
],
'img-src' => [
'*', // Allow images from anywhere
],
'style-src' => [
'self',
'unsafe-inline', // Allow inline styles
'https://fonts.googleapis.com', // Allow stylesheets from Google Fonts
],
'font-src' => [
'self',
'https://fonts.gstatic.com', // Allow fonts from the Google Fonts CDN
],
],
];For a full reference of Content Security Policy directives and their values, see content-security-policy.com.