Secure Headers for Laravel

Mike Francis
Jul 20, 2017 · 1 min read

Update: This article has been updated and published to my personal blog, please click the link below.

After playing with Aidan Wood’s amazing SecureHeaders library on /r/PHP in a project, I looked for a Laravel port of this package only to find one didn’t exist — so I made one!

https://github.com/mikefrancis/laravel-secureheaders

Aidan’s package aims to harden the security around HTTP headers, and with the following tiny bit of code:

$headers = new SecureHeaders();
$headers->apply();

Can take a standard Laravel install from grade F to grade B on SecurityHeaders.io, which is amazing.

With a little bit of configuration around Content Security Policy you can get a grade A . Here’s a brand new Laravel install where I have only required the package, added the service provider and registered the middleware:

http://laravel-secureheaders-demo.herokuapp.com

And here’s the grade A on SecurityHeaders.io:

https://securityheaders.io/?q=http://laravel-secureheaders-demo.herokuapp.com

I’m still working on an issue with Cookies and the Symfony Response which the Laravel Responses are based on, but I’m confident this should bump up that grade even more.

Please feel free to give it a try and let me know any feedback. Also bear in mind that this will unfortunately only be for Laravel 5.4+ projects due to the underlying version of symfony/http-foundation which the various Laravel framework requires.

)

Mike Francis

Written by

Software Engineer

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade