Skip to content
Set Feature-Policy headers in a Laravel app
Branch: master
Clone or download
This branch is 1 commit behind mazedlx:master.

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.

Set Feature-Policy headers in a Laravel app

Latest Version on Packagist Build Status Total Downloads

This package is strongly inspired by Spaties laravel-csp package. Thanks to Freek van der Herten and Thomas Verhelst for creating such an awesome package and doing all the heavy lifting!

With Feature-Policy you can control which web platform features to allow and disallow within your web applications. Feature-Policy is a Security Header (like Content-Security-Policy) that is brand new. The list of things you can restrict isn't final yet, I'll add them in time when the specification evolves.


You should install this package via composer:

$ composer require mazedlx/laravel-feature-policy

Next, publish the config file:

$ php artisan vendor:publish --provider="Mazedlx\FeaturePolicy\FeaturePolicyServiceProvider" --tag="config"

The contents of the config/feature-policy.php file look like this:


return [
     * A policy will determine which Feature-Policy headers will be set.
     * A valid policy extends `Mazedlx\FeaturePolicy\Policies\Policy`
    'policy' => Mazedlx\FeaturePolicy\Policies\Basic::class,

     * Feature-policy headers will only be added if this is set to true
    'enabled' => env('FPH_ENABLED', true),


You can add Feature-Policy headers to all responses by registering Mazedlx\FeaturePolicy\AddFeaturePolicyHeaders::class in the HTTP kernel:

// app/Http/Kernel.php


protected $middlewareGroups = [
    'web' => [

Alternatively you can add the middleware to the a single route and route group:

// in a routes file
Route::get('/home', 'HomeController')->middleware(Mazedlx\FeaturePolicy\AddFeaturePolicyHeaders::class);

You could even pass a policy as a parameter and override the policy specified in the config file:

// in a routes file
Route::get('/home', 'HomeController')->middleware(Mazedlx\FeaturePolicy\AddFeaturePolicyHeaders::class . ':' . MyFeaturePolicy::class);


This package allows you to define Feature-Policy policies. A Feature-Policy policy determines which Feature-Policy directives will be set in the headers of the response.

An example of a Feature-Policy directive is microphone:

Feature-Policy: microphone 'self'

In the above example by specifying microphone and allowing it for 'self' the feature is diabled for all origins except our own and

The full list of restrictable directives isn't final yet, but here are some of the things you have access to:

  • accelerometer
  • ambient-light-sensor
  • autoplay
  • camera
  • encrypted-media
  • fullscreen
  • geolocation
  • gyroscope
  • magnetometer
  • microphone
  • midi
  • payment
  • picture-in-picture
  • speaker
  • usb
  • vr

You can find the feature definitions at

You can add multiple policy options as an array or as a single string with space-sepearated options:

// in a policy
    ->addDirective(Directive::CAMERA, [
    ->addDirective(Directive::GYROSCOPE, 'self')

Creating Policies

The policy key of the feature-policy config file is set to Mazedlx\FeaturePolicy\Policies\Basic::class by default, which allows your site to use a few of the available features. The class looks like this:


namespace Mazedlx\FeaturePolicy\Policies;

use Mazedlx\FeaturePolicy\Value;
use Mazedlx\FeaturePolicy\Directive;

class Basic extends Policy
    public function configure()
        $this->addDirective(Directive::GEOLOCATION, Value::SELF)
            ->addDirective(Directive::FULLSCREEN, Value::SELF);

Let's say you're happy with allowing geolocation and fullscreen but also wanted to add to gain access to this feature, then you can easily extend the class:


namespace App\Services\FeaturePolicy\Policies;

use Mazedlx\FeaturePolicy\Directive;
use Mazedlx\FeaturePolicy\Policies\Basic;

class MyFeaturePolicy extends Basic
    public function configure()

        $this->addDirective(Directive::GEOLOCATION, '')
            ->addDirective(Directive::FULLSCREEN, '');

Don't forget to change the policy key in the feature-policy config file to the class name fo your policy (e.g. App\Services\Policies\MyFeaturePolicy).


You can run all tests with:

$ composer tests


Please see CHANGELOG for more information what has changed recently.


Please see CONTRIBUTING for details.


If you discover any security related issues please email instead of using the issue tracker.



If you like this package please feel free to star it.


The MIT License (MIT). Please see LICENSE for more information.

You can’t perform that action at this time.