Get the latest Laravel/PHP jobs, events and curated articles straight to your inbox, once a week
Source: barryvanveen.nl
How to configure security headers for LaravelCategory: Laravel, Laravel
Some time ago I read an excellent article by Scott Helme on https://scotthelme.co.uk/hardening-your-http-response-headers/. If you want to learn more about these headers I suggest you read the article yourself. I've added security headers to this website and want to show you how it was done.
I've used the https://github.com/BePsvPT/laravel-security-header package for adding security headers.
My https://github.com/barryvanveen/barryvanveen/blob/master/config/security-header.php looks like this: 'nosniff', 'x-download-options' => 'noopen', 'x-frame-options' => 'sameorigin', 'x-permitted-cross-domain-policies' => 'none', 'x-xss-protection' => '1; mode=block', 'referrer-policy' => 'unsafe-url', 'hsts' => [ 'max-age' => 31536000, 'include-sub-domains' => true, ], 'hpkp' => [ 'hashes' => false, 'include-sub-domains' => false, 'max-age' => 15552000, 'report-only' => false, 'report-uri' => null, ], 'csp' => [ 'report-only' => false, 'upgrade-insecure-requests' => false, 'default-src' => [ 'self' => true, ], 'script-src' => [ 'allow' => [ $protocol.'ajax.googleapis.com', $protocol.'code.jquery.com', $protocol.'www.googletagmanager.com', $protocol.'www.google-analytics.com', ], 'self' => true, 'unsafe-inline' => true, 'unsafe-eval' => true, 'data' => true, ], 'style-src' => [ 'allow' => [ $protocol.'fonts.googleapis.com', ], 'self' => true, 'unsafe-inline' => true, ], 'img-src' => [ 'allow' => [ $protocol.'www.google-analytics.com', ], 'self' => true, 'data' => true, ], 'font-src' => [ 'allow' => [ $protocol.'fonts.gstatic.com', ], 'self' => true, 'data' => true, ], 'object-src' => [ 'allow' => [], 'self' => false, ], ], ]; Some notes: Only enable Strict-Transport-Security if you have an SSL certificate.
I've used the https://github.com/BePsvPT/laravel-security-header package for adding security headers.
My https://github.com/barryvanveen/barryvanveen/blob/master/config/security-header.php looks like this: 'nosniff', 'x-download-options' => 'noopen', 'x-frame-options' => 'sameorigin', 'x-permitted-cross-domain-policies' => 'none', 'x-xss-protection' => '1; mode=block', 'referrer-policy' => 'unsafe-url', 'hsts' => [ 'max-age' => 31536000, 'include-sub-domains' => true, ], 'hpkp' => [ 'hashes' => false, 'include-sub-domains' => false, 'max-age' => 15552000, 'report-only' => false, 'report-uri' => null, ], 'csp' => [ 'report-only' => false, 'upgrade-insecure-requests' => false, 'default-src' => [ 'self' => true, ], 'script-src' => [ 'allow' => [ $protocol.'ajax.googleapis.com', $protocol.'code.jquery.com', $protocol.'www.googletagmanager.com', $protocol.'www.google-analytics.com', ], 'self' => true, 'unsafe-inline' => true, 'unsafe-eval' => true, 'data' => true, ], 'style-src' => [ 'allow' => [ $protocol.'fonts.googleapis.com', ], 'self' => true, 'unsafe-inline' => true, ], 'img-src' => [ 'allow' => [ $protocol.'www.google-analytics.com', ], 'self' => true, 'data' => true, ], 'font-src' => [ 'allow' => [ $protocol.'fonts.gstatic.com', ], 'self' => true, 'data' => true, ], 'object-src' => [ 'allow' => [], 'self' => false, ], ], ]; Some notes: Only enable Strict-Transport-Security if you have an SSL certificate.
Newsletter
ToastMail
Achieve superior email deliverability with ToastMail! Our AI-driven tool warms up inboxes, monitors reputation, and ensures emails reach their intended destination. Sign up today for a spam-free future.
Community Partners
Laravel/PHP Careers