Skip to content
πŸ”’ SecureHeaders wrapper for Laravel.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Laravel SecureHeaders

Packagist Build Status codecov

SecureHeaders wrapper for Laravel.

Based on aidantwoods/SecureHeaders.


Require the mikefrancis/laravel-secureheaders package in your composer.json and update your dependencies:

composer require mikefrancis/laravel-secureheaders

If you are using Laravel 5.5+, package discovery is enabled. For Laravel 5.4, add the service provider to your config/app.php providers array:



To add more secure headers to your entire application, add the ApplySecureHeaders middleware in the $middleware property of app/Http/Kernel.php class:

protected $middleware = [
    // ...


Some sensible defaults have been set in config/secure-headers.php but if you'd like to change these, copy the file to your own application's config using the following command:

php artisan vendor:publish --provider="MikeFrancis\LaravelSecureHeaders\ServiceProvider"

A typical configuration might look like this:


return [
    // Safe Mode
    'safeMode' => false,

    // HSTS Strict-Transport-Security
    'hsts' => [
        'enabled' => true,

    // Content Security Policy
    'csp' => [
        'default' => [
        'img-src' => [
            '*', // Allow images from anywhere
        'style-src' => [
            'unsafe-inline', // Allow inline styles
            '', // Allow stylesheets from Google Fonts
        'font-src' => [
            '', // Allow fonts from the Google Fonts CDN

For a full reference of Content Security Policy directives and their values, see

You can’t perform that action at this time.