Skip to content
πŸ”’ SecureHeaders wrapper for Laravel.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
config
src
tests
.gitignore
.travis.yml
README.md
composer.json
phpunit.xml.dist

README.md

Laravel SecureHeaders

Packagist Build Status codecov

SecureHeaders wrapper for Laravel.

Based on aidantwoods/SecureHeaders.

Installation

Require the mikefrancis/laravel-secureheaders package in your composer.json and update your dependencies:

composer require mikefrancis/laravel-secureheaders

If you are using Laravel 5.5+, package discovery is enabled. For Laravel 5.4, add the service provider to your config/app.php providers array:

MikeFrancis\LaravelSecureHeaders\ServiceProvider::class,

Usage

To add more secure headers to your entire application, add the ApplySecureHeaders middleware in the $middleware property of app/Http/Kernel.php class:

protected $middleware = [
    // ...
    \MikeFrancis\LaravelSecureHeaders\ApplySecureHeaders::class,
];

Configuration

Some sensible defaults have been set in config/secure-headers.php but if you'd like to change these, copy the file to your own application's config using the following command:

php artisan vendor:publish --provider="MikeFrancis\LaravelSecureHeaders\ServiceProvider"

A typical configuration might look like this:

<?php

return [
    // Safe Mode
    'safeMode' => false,

    // HSTS Strict-Transport-Security
    'hsts' => [
        'enabled' => true,
    ],

    // Content Security Policy
    'csp' => [
        'default' => [
            'self',
        ],
        'img-src' => [
            '*', // Allow images from anywhere
        ],
        'style-src' => [
            'self',
            'unsafe-inline', // Allow inline styles
            'https://fonts.googleapis.com', // Allow stylesheets from Google Fonts
        ],
        'font-src' => [
            'self',
            'https://fonts.gstatic.com', // Allow fonts from the Google Fonts CDN
        ],
    ],
];

For a full reference of Content Security Policy directives and their values, see content-security-policy.com.

You can’t perform that action at this time.