PHP Secure Headers

Related tags

Laravel php secure-headers csp hsts referrer-policy laravel laravel-package content-security-policy expect-ct feature-policy clear-site-data
Overview

Secure Headers

Financial Contributors on Open Collective Actions Status Latest Stable Version Total Downloads License

Add security related headers to HTTP response. The package includes Service Providers for easy Laravel integration.

Version

7.1.0

Supported Laravel Version

5.1 ~ 8.x

Installation

Non Laravel Project

Install using composer

composer require bepsvpt/secure-headers

Copy config file to your project directory

cp vendor/bepsvpt/secure-headers/config/secure-headers.php path/to/your/project/directory

Set up config file

Done!

Laravel Project

Install using composer

composer require bepsvpt/secure-headers

Add service provider in config/app.php ( laravel version < 5.5 )

Bepsvpt\SecureHeaders\SecureHeadersServiceProvider::class,

Publish config file

php artisan vendor:publish --provider="Bepsvpt\SecureHeaders\SecureHeadersServiceProvider"

Add global middleware in app/Http/Kernel.php

\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,

Set up config file config/secure-headers.php

Done!

Lumen Project

Install using composer

composer require bepsvpt/secure-headers

Add service provider in bootstrap/app.php

$app->register(Bepsvpt\SecureHeaders\SecureHeadersServiceProvider::class);

Copy config file to project directory

mkdir config
cp vendor/bepsvpt/secure-headers/config/secure-headers.php config/secure-headers.php

Add global middleware in bootstrap/app.php

$app->middleware([
   \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,
]);

Set up config file config/secure-headers.php

Done!

Usage(Non Laravel Project)

Do not forget to import namespace.

<?php

use \Bepsvpt\SecureHeaders\SecureHeaders;

Instance

<?php

// instantiate the class by fromFile static method
$secureHeaders = SecureHeaders::fromFile('/path/to/secure-headers.php');

// or instantiate the class directly
$config = require '/path/to/secure-headers.php';

$config['key'] = 'value'; // modify config value if needed

$secureHeaders = new SecureHeaders($config);

Send

// Get headers
$secureHeaders->headers();

// Send headers to HTTP response
$secureHeaders->send();

Document and Notice

Please see DOCS for details.

Changelog

Please see CHANGELOG for details.

Upgrade

Please see UPGRADE for details.

Contributors

Financial Contributors

Become a financial contributor and help us sustain our community. [Contribute]

Individuals

Organizations

Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]

License

Secure Headers is licensed under The MIT License (MIT).

Comments
  • I need use url logo in footers website

    I need use url logo in footers website

    Hi I need use url logo in footers website :

    https://logo.samandehi.ir/logo.aspx?id=125527&p=nbpdodrfujynujynodrfyndt https://trustseal.enamad.ir/logo.aspx?id=85695&p=6hcAP0z1rV586Pk9

    it is not show What am i doing wrong? Thanks

    opened by msadeqi 10
  • Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

    Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

    I am continually getting below error

    Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

    Below is my file

    <?php

return [
    /*
     * Server
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
     *
     * Note: when server is empty string, it will not add to response header
     */

    'server' => 'Unknown',
    /*
     * X-Content-Type-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
     *
     * Available Value: 'nosniff'
     */
    'x-content-type-options' => 'nosniff',
    /*
     * X-Download-Options
     *
     * Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
     *
     * Available Value: 'noopen'
     */
    'x-download-options' => 'noopen',
    /*
     * X-Frame-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
     *
     * Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
     */
    'x-frame-options' => 'sameorigin',
    /*
     * X-Permitted-Cross-Domain-Policies
     *
     * Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
     *
     * Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
     */
    'x-permitted-cross-domain-policies' => 'none',
    /*
     * X-Power-By
     *
     * Note: it will not add to response header if the value is empty string.
     */
    'x-power-by' => '',
    /*
     * X-XSS-Protection
     *
     * Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter
     *
     * Available Value: '1', '0', '1; mode=block'
     */
    'x-xss-protection' => '1; mode=block',
    /*
     * Referrer-Policy
     *
     * Reference: https://w3c.github.io/webappsec-referrer-policy
     *
     * Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
     *                  'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
     */
    'referrer-policy' => 'no-referrer',
    /*
     * Clear-Site-Data
     *
     * Reference: https://w3c.github.io/webappsec-clear-site-data/
     */
    'clear-site-data' => [
        'enable' => false,
        'all' => false,
        'cache' => true,
        'cookies' => true,
        'storage' => true,
        'executionContexts' => true,
    ],
    /*
     * HTTP Strict Transport Security
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
     *
     * Please ensure your website had set up ssl/tls before enable hsts.
     */
    'hsts' => [
        'enable' => true,
        'max-age' => 15552000,
        'include-sub-domains' => true,
        'preload' => false,
    ],
    /*
     * Expect-CT
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
     */
    'expect-ct' => [
        'enable' => false,
        'max-age' => 2147483648,
        'enforce' => false,
        'report-uri' => null,
    ],
    /*
     * Public Key Pinning
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
     *
     * hpkp will be ignored if hashes is empty.
     */
    'hpkp' => [
        'hashes' => [
        // 'sha256-hash-value',
        ],
        'include-sub-domains' => false,
        'max-age' => 15552000,
        'report-only' => false,
        'report-uri' => null,
    ],
    /*
     * Feature Policy
     *
     * Reference: https://wicg.github.io/feature-policy/
     */
    'feature-policy' => [
        'enable' => true,
        /*
         * Each directive details can be found on:
         *
         * https://github.com/WICG/feature-policy/blob/master/features.md
         *
         * 'none', '*' and 'self allow' are mutually exclusive,
         * the priority is 'none' > '*' > 'self allow'.
         */
        'accelerometer' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'ambient-light-sensor' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'autoplay' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'camera' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'display-capture' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'document-domain' => [
            'none' => false,
            '*' => true,
            'self' => false,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'encrypted-media' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'fullscreen' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'geolocation' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'gyroscope' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'magnetometer' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'microphone' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'midi' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'payment' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'picture-in-picture' => [
            'none' => false,
            '*' => true,
            'self' => false,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'speaker' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'sync-xhr' => [
            'none' => false,
            '*' => true,
            'self' => false,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'usb' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'vr' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
    ],
    /*
     * Content Security Policy
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
     *
     * csp will be ignored if custom-csp is not null. To disable csp, set custom-csp to empty string.
     *
     * Note: custom-csp does not support report-only.
     */
    'custom-csp' => null,
    'csp' => [
        'report-only' => false,
        'report-uri' => null,
        'block-all-mixed-content' => false,
        'upgrade-insecure-requests' => true,
        /*
         * Please references script-src directive for available values, only `script-src` and `style-src`
         * supports `add-generated-nonce`.
         *
         * Note: when directive value is empty, it will use `none` for that directive.
         */
        'script-src' => [
            'allow' => [

                'https://www.google.com/recaptcha/api.js',
                'https://cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/jquery.validate.js',
                'https://maps.googleapis.com/maps-api-v3/api/js/39/10/common.js',
                'https://maps.googleapis.com/maps-api-v3/api/js/39/10/util.js',
                'https://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.0/TweenMax.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/additional-methods.js',
                'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/ScrollMagic.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/debug.addIndicators.min.js',
   

                'https://connect.facebook.net/en_US/fbevents.js',
            ],
            'hashes' => [
            // 'sha256' => [
            //     'hash-value',
            // ],
            ],
            'nonces' => [
            // 'base64-encoded',
            ],
            'schemes' => [
             'https:',
            ],
            'self' => true,
            'unsafe-inline' => true,
            'unsafe-eval' => true,
            'strict-dynamic' => false,
            'unsafe-hashed-attributes' => false,
            // https://www.chromestatus.com/feature/5792234276388864
            // 'report-sample' => true,
            'add-generated-nonce' => true,
        ],
        'style-src' => [
            'allow' => [
                'https://fonts.googleapis.com/',
                'https://fonts.googleapis.com/css?family=Biryani:200,300,400,500,600,700',
                'https://cdnjs.cloudflare.com/ajax/libs/bootstrap-datetimepicker/4.15.35/css/bootstrap-datetimepicker.min.css',
            ],
            'hashes' => [
            // 'sha256' => [
            //     'hash-value',
            // ],
            ],
            'nonces' => [
            //
            ],
            'schemes' => [
            // 'https:',
            ],
            'self' => true,
            'unsafe-inline' => true,
            // https://www.chromestatus.com/feature/5792234276388864
            // 'report-sample' => true,
            'add-generated-nonce' => false,
        ],
        'img-src' => [
            'allow' => [
            //
            ],
            'schemes' => [
                'data:',
                'https:',
            ],
            'self' => true,
            'data' => true,
        ],
        'default-src' => [
            'none',
        ],
        'base-uri' => [
        //
        ],
        'connect-src' => [
            'allow' => [
                'https://' . parse_url(env('APP_URL'), PHP_URL_HOST) . ':8443/socket.io/',
                'wss://' . parse_url(env('APP_URL'), PHP_URL_HOST) . ':8443/socket.io/',
            ],
            'self' => true,
        ],
        'font-src' => [
            'schemes' => [
                'data:',
                'https:',
            ],
            'self' => true,
            'data' => true,
        ],
        'form-action' => [
            'self' => true,
        ],
        'frame-ancestors' => [
        //
        ],
        'frame-src' => [
            'schemes' => [
                'https:',
            ],
            'self' => true,
        ],
        'media-src' => [
            'allow' => [
               //
            ],
            'self' => true,
        ],
        'object-src' => [
        //
        ],
        'worker-src' => [
        //
        ],
        'plugin-types' => [
        // 'application/x-shockwave-flash',
        ],
        'require-sri-for' => '',
        'sandbox' => '',
    ],
];
    opened by urfusion 9
  • Rename Feature-Policy header to Permissions-Policy

    Rename Feature-Policy header to Permissions-Policy

    According to the following link, the Feature-Policy header is now renamed to the Permissions-Policy.

    https://www.w3.org/TR/permissions-policy-1/

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

    Since yesterday (July 20 2020) started to get errors in Console in the Chrome: "Error with Feature-Policy header: Unrecognized feature: 'display-capture'."

    pending 
    opened by yosifeldman 8
  • The right way to config

    The right way to config

    Hi I'm new in Laravel and I have some questions about your package. I added \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class, to $middlewarePriority in Kernel.php Is that right? And what should I write in secure-headers.php? And how can I be sure that I configured it in the right way? I'm using Laravel 5.8. Thanks in advanced.

    opened by Masoud180 8
  • Get Error parsing header in Chrome Console

    Get Error parsing header in Chrome Console

    Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.

    opened by Kokil 7
  • securityheaders.com still show Big red F

    securityheaders.com still show Big red F

    Hello All,

    1.I have configured as per laravel project and security headers comes in first request of website but all other request like loading js and css that does not have configred security headers.

    2.Also securityheaders.com still show Big red F for my website (https://workversatile.com) Can anyone help me ?

    opened by arshadanjum167 6
  • After setup for laravel, Content-Security-Policy header is not generated

    After setup for laravel, Content-Security-Policy header is not generated

    I see csp is enabled in config file secure-headers.php

    /*
     * Content Security Policy
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
     */

    'csp' => [
        'enable' => true,

    But in header of my site Content-Security-Policy header is not generated

    Results from https://securityheaders.com

    Missing Headers

    Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

    How do I enable this header?

    opened by hyquoccuong 6
  • Laravel duplicates X-Content-Type-Options header

    Laravel duplicates X-Content-Type-Options header

    I am using secure-headers in a Laravel project and get an A when scanning the site using securityheaders.io. I do get the followign two warnings:

    X-Frame-Options There was a duplicate X-Frame-Options header. X-Content-Type-Options There was a duplicate X-Content-Type-Options header.

    Laravel is adding the duplicates from Illuminate\Http\Middleware\FrameGuard.php. Is there a way to prevent this occurring? Thanks

    opened by johnboc 6
  • img issues

    img issues

    Hello and thanks for the great package. Maybe I'm doing this wrong but imgs I have whitelisted are not showing up.

    [Error] Refused to load http://7.t.imgbox.com/nzEqZ9bY.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://5.t.imgbox.com/fqffnT8Y.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://7.t.imgbox.com/nzEqZ9bY.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://5.t.imgbox.com/fqffnT8Y.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://6.t.imgbox.com/ecBXXVws.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://9.t.imgbox.com/pdHrSRyL.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://0.t.imgbox.com/uxFAAuEd.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://6.t.imgbox.com/4ZFjwTBc.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://3.t.imgbox.com/e0a7Dyf8.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://2.t.imgbox.com/43n4c49A.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://assets.fanart.tv/fanart/movies/269149/moviebackground/zootopia-56b0a4adcd559.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://assets.fanart.tv/fanart/movies/269149/movieposter/zootopia-573f3f2c6d6ee.jpg because it does not appear in the img-src directive of the Content Security Policy.

    This is my CSP config

    secure-headers.php 
    <?php

return [

    /*
     * X-Content-Type-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
     *
     * Available Value: 'nosniff'
     */

    'x-content-type-options' => 'nosniff',

    /*
     * X-Download-Options
     *
     * Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
     *
     * Available Value: 'noopen'
     */

    'x-download-options' => 'noopen',

    /*
     * X-Frame-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
     *
     * Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
     */

    'x-frame-options' => 'sameorigin',

    /*
     * X-Permitted-Cross-Domain-Policies
     *
     * Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
     *
     * Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
     */

    'x-permitted-cross-domain-policies' => 'none',

    /*
     * X-XSS-Protection
     *
     * Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter
     *
     * Available Value: '1', '0', '1; mode=block'
     */

    'x-xss-protection' => '1; mode=block',

    /*
     * Referrer-Policy
     *
     * Reference: https://w3c.github.io/webappsec-referrer-policy
     *
     * Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
     *                  'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
     */

    'referrer-policy' => 'strict-origin-when-cross-origin',

    /*
     * HTTP Strict Transport Security
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
     *
     * Please ensure your website had set up ssl/tls before enable hsts.
     */

    'hsts' => [
        'enable' => true,

        'max-age' => 15552000,

        'include-sub-domains' => false,
    ],

    /*
     * Public Key Pinning
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
     *
     * hpkp will be ignored if hashes is empty.
     */

    'hpkp' => [
        'hashes' => [
            // [
            //     'algo' => 'sha256',
            //     'hash' => 'hash-value',
            // ],
        ],

        'include-sub-domains' => false,

        'max-age' => 15552000,

        'report-only' => false,

        'report-uri' => null,
    ],

    /*
     * Content Security Policy
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
     *
     * csp will be ignored if custom-csp is not null. To disable csp, set custom-csp to empty string.
     *
     * Note: custom-csp does not support report-only.
     */

    'custom-csp' => null,

    'csp' => [
        'report-only' => false,

        'report-uri' => null,

        'upgrade-insecure-requests' => false,

        'base-uri' => [
            //
        ],

        'default-src' => [
            'self' => true,
        ],

        'child-src' => [
            //
        ],

        'script-src' => [
            'allow' => [
                'cdnjs.cloudflare.com',
                'cdn.bootcss.com',
                'cdn.datatables.net',
                'ajax.googleapis.com',
                'maxcdn.bootstrapcdn.com',
            ],

            'hashes' => [
                // ['sha256' => 'hash-value'],
            ],

            'nonces' => [
                //
            ],

            'self' => true,

            'unsafe-inline' => true,

            'unsafe-eval' => false,
        ],

        'style-src' => [
            'allow' => [
                'cdn.bootcss.com',
                'fonts.googleapis.com',
                'cdn.rawgit.com',
                'maxcdn.bootstrapcdn.com',
                'cdnjs.cloudflare.com',
                'ajax.googleapis.com',
            ],

            'self' => true,

            'unsafe-inline' => true,
        ],

        'img-src' => [
            'allow' => [
                '*.imgur.com',
                '*.imgbox.com',
                'assets.fanart.tv',
            ],

            'types' => [
                'gif',
                'png',
            ],

            'self' => true,

            'data' => true,
        ],

        /*
         * The following directives are all use 'allow' and 'self' flag.
         *
         * Note: default value of 'self' flag is false.
         */

        'font-src' => [
            'allow' => [
              'fonts.googleapis.com',
              'fonts.gstatic.com',
              'cdn.rawgit.com',
              'maxcdn.bootstrapcdn.com',
            ],
            'self' => true,
        ],

        'connect-src' => [
            'allow' => [
              'www.omdbapi.com',
            ],
            'self' => true,
        ],

        'form-action' => [
            'self' => true,
        ],

        'frame-ancestors' => [
            'self' => true,
        ],

        'media-src' => [
            'self' => true,
        ],

        'object-src' => [
            'self' => true,
        ],

        /*
         * plugin-types only support 'allow'.
         */

        'plugin-types' => [
            //
        ],
    ],

];
    opened by HDVinnie 6
  • Add Nonce on Javascript Navigation

    Add Nonce on Javascript Navigation

    opened by PanjiNamjaElf 5
  • Image data: Question

    Image data: Question

    Im getting a lot of the following.

    Screen-Shot-2019-10-30-at-3-17-43-PM.png

    My Config is so:

            'img-src' => [
            'schemes' => [
                'data:',
                'https:',
            ],
            'self' => true,
            'data' => true,
        ],

    How can I allow all these?

    opened by HDVinnie 5
  • Support for Reporting API and NEL header

    Support for Reporting API and NEL header

    You already support the report-to attribute at CSP. However, this attribute accepts key from Report-To header like shown in this site in examples: developer.mozilla.org.

    What do you think about adding the possibility to set the Report-To standalone header as well? It can report more issues with your site, see https://docs.report-uri.com/setup/reporting-api/.

    And maybe add NEL Header too? This is not really security header but can help with debugging bad HTTPS certificate etc https://report-uri.com/products/network_error_logging

    What do you think about those headers? At least Report-To header could be useful, otherwise, the report-to attribute at CSP is useless.

    opened by arxeiss 2
Owner
null
GitHub
MySecureVault is the most secure passwords, notes and files vault on the Internet.

MySecureVault MySecureVault is the most secure passwords, notes and files vault on the Internet. It has been developed with ultimate privacy and secur

MySecureVault 1 Jan 26, 2022
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Oct 30, 2022
Laravel 4.* and 5.* service providers to handle PHP errors, dump variables, execute PHP code remotely in Google Chrome

Laravel 4.* service provider for PHP Console See https://github.com/barbushin/php-console-laravel/releases/tag/1.2.1 Use "php-console/laravel-service-

Sergey 73 Jun 1, 2022
Public API for the project coding.events. Made in PHP 8.0 with Lumen 8, PHP-FPM, NGINX and MySQL 8.

coding.events API Uma API feita apenas para passar o tempo, montando uma API para o site <coding.events>. Sinta-se livre para usar esse código como es

Kaique Garcia 3 Oct 9, 2022
PHP phonebook with map (Active Directory, LDAP -> MySQL, PHP)

LDAP phonebook ???? ???? Development ветка Вопросы предпочтительнее задавать в Issues, а не по почте Корпоративный телефонный справочник с отображение

null 47 Nov 30, 2022
States allows you to create PHP classes following the State Pattern in PHP.

States allows you to create PHP classes following the State Pattern in PHP. This can be a cleaner way for an object to change its behavior at runtime without resorting to large monolithic conditional statements and this improve maintainability and workflows writing.

Teknoo Software 10 Nov 20, 2022
PHP components - collection of cross-project PHP classes

PHP components Collection of cross-project PHP classes. Install: $ composer require ansas/php-component Ansas\Component\Convert\ConvertPrice Convert "

null 1 Jan 5, 2022
Lavacharts is a graphing / charting library for PHP 5.4+ that wraps Google's Javascript Chart API.

Lavacharts 3.1.12 Lavacharts is a graphing / chart library for PHP5.4+ that wraps the Google Chart API. Stable: Dev: Developer Note Please don't be di

Kevin Hill 616 Dec 17, 2022
A Simple GUID creator Laravel Package for PHP

A Simple GUID creator package for PHP. This package is useful for creating globally unique identifiers (GUID). It's under MIT license so it's free for

Sujip Thapa 15 Jun 26, 2021
laravel package for the Ar-PHP Project

laravel package for the Ar-PHP Project this is just a wrapper to use with laravel for the Ar-PHP Library, for more details checkout khaled-alshamaa

ATM-code 20 Dec 21, 2022
A laravel service provider for the netsuite-php library service

netsuite-laravel A PHP supplemental package to the ryanwinchester/netsuite-php package to add the NetSuite service client to the service container of

NetsuitePHP 6 Nov 9, 2022
Simplest Slugify for PHP to convert string into a slug.

Simplest Slugify for PHP to convert string into a slug. Documentation You can find the detailed documentation here in Slugify Documentation. Contribut

Pharaonic 6 Mar 12, 2022
PHP package to help the development of Laravel-based Telegram bots

Laravel-telegram-bot Project description goes here. This description is usually two to three lines long. It should give an overview of what the projec

CC - UFFS 6 May 10, 2021
Deploy and execute non-PHP AWS Lambda functions from your Laravel application.

Sidecar for Laravel Deploy and execute non-PHP AWS Lambda functions from your Laravel application. Read the full docs at hammerstone.dev/sidecar/docs.

Hammerstone 624 Dec 30, 2022
Laravel blade directives and php helpers for serverside rendered content, based on browser window size WITHOUT css

Laravel Window Size and Breakpoints Laravel blade directives and php helpers for server side rendered content, based on browser window size WITHOUT cs

Tina Hammar 7 Nov 23, 2022
Send PHP errors to Flare

Send PHP errors to Flare This repository contains a PHP client to send PHP errors to Flare. Documentation You can find the documentation of this packa

Spatie 64 Dec 26, 2022
Winbox.js wrapper in PHP.

Winbox PHP A wrapper for using Winbox.js just coding in PHP. Based on: JS Repo - https://github.com/nextapps-de/winbox Installation Clone the repo or

null 9 Sep 7, 2021
Control frontend access to properties/methods in Livewire using PHP 8 attributes.

This package adds PHP 8.0 attribute support to Livewire. In specific, the attributes are used for flagging component properties and methods as frontend-accessible.

ARCHTECH 83 Dec 17, 2022
Boilerplate code for protecting a form with proof of work. Uses javascript in the browser to generate the hashcash and PHP on the server to generate the puzzle and validate the proof of work.

Boilerplate code for protecting a form with proof of work. Uses javascript in the browser to generate the hashcash and PHP on the server to generate the puzzle and validate the proof of work.

Jameson Lopp 28 Dec 19, 2022