Download the PHP package philiprehberger/laravel-security-headers without Composer
On this page you can find all versions of the php package philiprehberger/laravel-security-headers. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.
Download philiprehberger/laravel-security-headers
More information about philiprehberger/laravel-security-headers
Files in philiprehberger/laravel-security-headers
Package laravel-security-headers
Short Description Laravel middleware for comprehensive security headers including CSP with nonce support, HSTS, and Permissions-Policy
License MIT
Homepage https://github.com/philiprehberger/laravel-security-headers
Informations about the package laravel-security-headers
Laravel Security Headers
Laravel middleware for comprehensive security headers including CSP with nonce support, HSTS, and Permissions-Policy.
Requirements
- PHP 8.2+
- Laravel 11 or 12
Installation
Laravel auto-discovery registers the service provider automatically.
Usage
Publishing the Config
This copies config/security-headers.php into your application's config/ directory.
Registering the Middleware
Laravel 11+ (bootstrap/app.php)
Laravel 10 and earlier (app/Http/Kernel.php)
Using the CSP Nonce in Blade
The nonce is shared to every view under the variable name configured in csp.nonce_view_variable (default: cspNonce).
Accessing the Nonce in PHP
Configuration Reference
Hardening the CSP
By default, 'unsafe-eval' is included in script-src and 'unsafe-inline' is included in style-src for broad compatibility. You can disable these for stricter security:
When unsafe_inline is disabled, all inline styles must use the CSP nonce. When unsafe_eval is disabled, eval() and related JavaScript features are blocked.
Hardcoded CSP Directives
The following directives are always included and cannot be changed via config:
| Directive | Value | Purpose |
|---|---|---|
default-src |
'self' |
Fallback for all resource types |
base-uri |
'self' |
Prevents <base> tag hijacking |
object-src |
'none' |
Blocks Flash/Java embeds |
Customization Examples
Allow an external CDN for scripts
Allow external font providers
Allow WebSocket connections to a production server
Allow forms to post to a subdomain
Enable HSTS in production via environment variable
Enable Report-Only mode to test your CSP without enforcing it
When report_only is true, the middleware sends Content-Security-Policy-Report-Only instead of Content-Security-Policy. This lets browsers report violations without blocking resources, which is useful when rolling out a new policy.
Send CSP violation reports to an endpoint
When set, report-uri <uri> and/or report-to <group> are appended to the CSP header. Both are omitted by default.
Configure X-Permitted-Cross-Domain-Policies
Controls the X-Permitted-Cross-Domain-Policies header which restricts Adobe Flash/PDF cross-domain policy files. Set to null or false to omit the header.
Use the CspDirective enum for type-safe directive names
Remove a header you do not need
API
Middleware
| Class | Description |
|---|---|
SecurityHeaders |
Middleware that injects all configured security headers into each response and generates a per-request CSP nonce |
Enums
| Enum | Description |
|---|---|
CspDirective |
Backed string enum with cases for common CSP directives (DefaultSrc, ScriptSrc, StyleSrc, ImgSrc, FontSrc, ConnectSrc, MediaSrc, FrameSrc, BaseUri, FormAction, FrameAncestors) |
Service Provider
Auto-discovered via Laravel's package discovery. Registers the middleware and publishes the config file.
Blade Variable
| Variable | Description |
|---|---|
$cspNonce |
Per-request CSP nonce shared to all Blade views (name configurable via csp.nonce_view_variable) |
Request Attribute
| Attribute | Description |
|---|---|
csp_nonce |
Per-request CSP nonce accessible via $request->attributes->get('csp_nonce') |
Development
Support
If you find this project useful:
License
MIT
All versions of laravel-security-headers with dependencies
illuminate/http Version ^11.0|^12.0
illuminate/support Version ^11.0|^12.0
illuminate/view Version ^11.0|^12.0