PHP code example of philiprehberger / laravel-security-headers

1. Go to this page and download the library: Download philiprehberger/laravel-security-headers library. Choose the download type require.

2. Extract the ZIP file and open the index.php.

3. Add this code to the index.php.
    
        
<?php
require_once('vendor/autoload.php');

/* Start to develop here. Best regards https://php-download.com/ */

    

philiprehberger / laravel-security-headers example snippets


use PhilipRehberger\SecurityHeaders\SecurityHeaders;

->withMiddleware(function (Middleware $middleware) {
    $middleware->web(append: [
        SecurityHeaders::class,
    ]);
})

protected $middlewareGroups = [
    'web' => [
        // ...
        \PhilipRehberger\SecurityHeaders\SecurityHeaders::class,
    ],
];

$nonce = $request->attributes->get('csp_nonce');

// config/security-headers.php

return [

    'hsts' => [
        // Set SECURITY_HEADERS_HSTS=true in .env (only when fully on HTTPS)
        'enabled'            => env('SECURITY_HEADERS_HSTS', false),
        'max_age'            => 31536000,
        'e',

        'unsafe_eval'  => true,   //  if enabled)
        'img_src'      => [],   // appended to: 'self' data: blob:
        'font_src'     => [],   // appended to: 'self' data:
        'connect_src'  => [],   // appended to: 'self'
        'frame_ancestors' => ["'self'"],
        'form_action'     => ["'self'"],

        // Optional CSP reporting (omitted when null)
        'report_uri' => null, // appended as `report-uri <uri>`
        'report_to'  => null, // appended as `report-to <group>`
    ],

    // Set to null to omit the header entirely
    'x_content_type_options'         => 'nosniff',
    'x_frame_options'                => 'SAMEORIGIN',
    'x_xss_protection'               => '1; mode=block',
    'referrer_policy'                => 'strict-origin-when-cross-origin',
    'permissions_policy'             => 'geolocation=(), camera=(), microphone=(), payment=()',
    'permitted_cross_domain_policies' => 'none', // X-Permitted-Cross-Domain-Policies (null/false to omit)

    'vite' => [
        'enabled'    => true,
        'dev_server' => 'http://127.0.0.1:5173',
    ],

];

'csp' => [
    'unsafe_eval'   => false,  // removes 'unsafe-eval' from script-src
    'unsafe_inline' => false,  // removes 'unsafe-inline' from style-src
],

'csp' => [
    'script_src' => ['https://cdn.jsdelivr.net'],
],

'csp' => [
    'font_src'  => ['https://fonts.bunny.net', 'https://fonts.gstatic.com'],
    'style_src' => ['https://fonts.bunny.net'],
],

'csp' => [
    'connect_src' => ['wss://ws.example.com'],
],

'csp' => [
    'form_action' => ["'self'", 'https://portal.example.com'],
],

'csp' => [
    'report_only' => true,
],

'csp' => [
    'report_uri' => 'https://example.com/csp-report',
    'report_to'  => 'csp-endpoint',
],

'permitted_cross_domain_policies' => 'none', // default

use PhilipRehberger\SecurityHeaders\CspDirective;

$directive = CspDirective::ScriptSrc; // 'script-src'
$directive = CspDirective::from('style-src'); // CspDirective::StyleSrc

'x_xss_protection' => null,
bash
php artisan vendor:publish --tag=security-headers-config