PHP code example of philiprehberger / laravel-security-headers
1. Go to this page and download the library: Download philiprehberger/laravel-security-headers library. Choose the download type require.
2. Extract the ZIP file and open the index.php.
3. Add this code to the index.php.
<?php
require_once('vendor/autoload.php');
/* Start to develop here. Best regards https://php-download.com/ */
philiprehberger / laravel-security-headers example snippets
use PhilipRehberger\SecurityHeaders\SecurityHeaders;
->withMiddleware(function (Middleware $middleware) {
$middleware->web(append: [
SecurityHeaders::class,
]);
})
protected $middlewareGroups = [
'web' => [
// ...
\PhilipRehberger\SecurityHeaders\SecurityHeaders::class,
],
];
$nonce = $request->attributes->get('csp_nonce');
// config/security-headers.php
return [
'hsts' => [
// Set SECURITY_HEADERS_HSTS=true in .env (only when fully on HTTPS)
'enabled' => env('SECURITY_HEADERS_HSTS', false),
'max_age' => 31536000,
'e',
'unsafe_eval' => true, // if enabled)
'img_src' => [], // appended to: 'self' data: blob:
'font_src' => [], // appended to: 'self' data:
'connect_src' => [], // appended to: 'self'
'frame_ancestors' => ["'self'"],
'form_action' => ["'self'"],
// Optional CSP reporting (omitted when null)
'report_uri' => null, // appended as `report-uri <uri>`
'report_to' => null, // appended as `report-to <group>`
],
// Set to null to omit the header entirely
'x_content_type_options' => 'nosniff',
'x_frame_options' => 'SAMEORIGIN',
'x_xss_protection' => '1; mode=block',
'referrer_policy' => 'strict-origin-when-cross-origin',
'permissions_policy' => 'geolocation=(), camera=(), microphone=(), payment=()',
'permitted_cross_domain_policies' => 'none', // X-Permitted-Cross-Domain-Policies (null/false to omit)
'vite' => [
'enabled' => true,
'dev_server' => 'http://127.0.0.1:5173',
],
];
'csp' => [
'unsafe_eval' => false, // removes 'unsafe-eval' from script-src
'unsafe_inline' => false, // removes 'unsafe-inline' from style-src
],
'csp' => [
'script_src' => ['https://cdn.jsdelivr.net'],
],
'csp' => [
'font_src' => ['https://fonts.bunny.net', 'https://fonts.gstatic.com'],
'style_src' => ['https://fonts.bunny.net'],
],
'csp' => [
'connect_src' => ['wss://ws.example.com'],
],
'csp' => [
'form_action' => ["'self'", 'https://portal.example.com'],
],
'csp' => [
'report_only' => true,
],
'csp' => [
'report_uri' => 'https://example.com/csp-report',
'report_to' => 'csp-endpoint',
],
'permitted_cross_domain_policies' => 'none', // default
use PhilipRehberger\SecurityHeaders\CspDirective;
$directive = CspDirective::ScriptSrc; // 'script-src'
$directive = CspDirective::from('style-src'); // CspDirective::StyleSrc
'x_xss_protection' => null,
bash
php artisan vendor:publish --tag=security-headers-config