PHP Secure Headers

Related tags

Security php secure-headers csp hsts referrer-policy laravel laravel-package content-security-policy expect-ct feature-policy clear-site-data
Overview

Secure Headers

Financial Contributors on Open Collective Actions Status Latest Stable Version Total Downloads License

Add security related headers to HTTP response. The package includes Service Providers for easy Laravel integration.

Version

7.1.0

Supported Laravel Version

5.1 ~ 8.x

Installation

Non Laravel Project

Install using composer

composer require bepsvpt/secure-headers

Copy config file to your project directory

cp vendor/bepsvpt/secure-headers/config/secure-headers.php path/to/your/project/directory

Set up config file

Done!

Laravel Project

Install using composer

composer require bepsvpt/secure-headers

Add service provider in config/app.php ( laravel version < 5.5 )

Bepsvpt\SecureHeaders\SecureHeadersServiceProvider::class,

Publish config file

php artisan vendor:publish --provider="Bepsvpt\SecureHeaders\SecureHeadersServiceProvider"

Add global middleware in app/Http/Kernel.php

\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,

Set up config file config/secure-headers.php

Done!

Lumen Project

Install using composer

composer require bepsvpt/secure-headers

Add service provider in bootstrap/app.php

$app->register(Bepsvpt\SecureHeaders\SecureHeadersServiceProvider::class);

Copy config file to project directory

mkdir config
cp vendor/bepsvpt/secure-headers/config/secure-headers.php config/secure-headers.php

Add global middleware in bootstrap/app.php

$app->middleware([
   \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,
]);

Set up config file config/secure-headers.php

Done!

Usage(Non Laravel Project)

Do not forget to import namespace.

<?php

use \Bepsvpt\SecureHeaders\SecureHeaders;

Instance

<?php

// instantiate the class by fromFile static method
$secureHeaders = SecureHeaders::fromFile('/path/to/secure-headers.php');

// or instantiate the class directly
$config = require '/path/to/secure-headers.php';

$config['key'] = 'value'; // modify config value if needed

$secureHeaders = new SecureHeaders($config);

Send

// Get headers
$secureHeaders->headers();

// Send headers to HTTP response
$secureHeaders->send();

Document and Notice

Please see DOCS for details.

Changelog

Please see CHANGELOG for details.

Upgrade

Please see UPGRADE for details.

Contributors

Financial Contributors

Become a financial contributor and help us sustain our community. [Contribute]

Individuals

Organizations

Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]

License

Secure Headers is licensed under The MIT License (MIT).

Comments
  • I need use url logo in footers website

    I need use url logo in footers website

    Hi I need use url logo in footers website :

    https://logo.samandehi.ir/logo.aspx?id=125527&p=nbpdodrfujynujynodrfyndt https://trustseal.enamad.ir/logo.aspx?id=85695&p=6hcAP0z1rV586Pk9

    it is not show What am i doing wrong? Thanks

    opened by msadeqi 10
  • Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

    Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

    I am continually getting below error

    Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

    Below is my file

    <?php

return [
    /*
     * Server
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
     *
     * Note: when server is empty string, it will not add to response header
     */

    'server' => 'Unknown',
    /*
     * X-Content-Type-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
     *
     * Available Value: 'nosniff'
     */
    'x-content-type-options' => 'nosniff',
    /*
     * X-Download-Options
     *
     * Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
     *
     * Available Value: 'noopen'
     */
    'x-download-options' => 'noopen',
    /*
     * X-Frame-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
     *
     * Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
     */
    'x-frame-options' => 'sameorigin',
    /*
     * X-Permitted-Cross-Domain-Policies
     *
     * Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
     *
     * Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
     */
    'x-permitted-cross-domain-policies' => 'none',
    /*
     * X-Power-By
     *
     * Note: it will not add to response header if the value is empty string.
     */
    'x-power-by' => '',
    /*
     * X-XSS-Protection
     *
     * Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter
     *
     * Available Value: '1', '0', '1; mode=block'
     */
    'x-xss-protection' => '1; mode=block',
    /*
     * Referrer-Policy
     *
     * Reference: https://w3c.github.io/webappsec-referrer-policy
     *
     * Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
     *                  'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
     */
    'referrer-policy' => 'no-referrer',
    /*
     * Clear-Site-Data
     *
     * Reference: https://w3c.github.io/webappsec-clear-site-data/
     */
    'clear-site-data' => [
        'enable' => false,
        'all' => false,
        'cache' => true,
        'cookies' => true,
        'storage' => true,
        'executionContexts' => true,
    ],
    /*
     * HTTP Strict Transport Security
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
     *
     * Please ensure your website had set up ssl/tls before enable hsts.
     */
    'hsts' => [
        'enable' => true,
        'max-age' => 15552000,
        'include-sub-domains' => true,
        'preload' => false,
    ],
    /*
     * Expect-CT
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
     */
    'expect-ct' => [
        'enable' => false,
        'max-age' => 2147483648,
        'enforce' => false,
        'report-uri' => null,
    ],
    /*
     * Public Key Pinning
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
     *
     * hpkp will be ignored if hashes is empty.
     */
    'hpkp' => [
        'hashes' => [
        // 'sha256-hash-value',
        ],
        'include-sub-domains' => false,
        'max-age' => 15552000,
        'report-only' => false,
        'report-uri' => null,
    ],
    /*
     * Feature Policy
     *
     * Reference: https://wicg.github.io/feature-policy/
     */
    'feature-policy' => [
        'enable' => true,
        /*
         * Each directive details can be found on:
         *
         * https://github.com/WICG/feature-policy/blob/master/features.md
         *
         * 'none', '*' and 'self allow' are mutually exclusive,
         * the priority is 'none' > '*' > 'self allow'.
         */
        'accelerometer' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'ambient-light-sensor' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'autoplay' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'camera' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'display-capture' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'document-domain' => [
            'none' => false,
            '*' => true,
            'self' => false,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'encrypted-media' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'fullscreen' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'geolocation' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'gyroscope' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'magnetometer' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'microphone' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'midi' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'payment' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'picture-in-picture' => [
            'none' => false,
            '*' => true,
            'self' => false,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'speaker' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'sync-xhr' => [
            'none' => false,
            '*' => true,
            'self' => false,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'usb' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'vr' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
    ],
    /*
     * Content Security Policy
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
     *
     * csp will be ignored if custom-csp is not null. To disable csp, set custom-csp to empty string.
     *
     * Note: custom-csp does not support report-only.
     */
    'custom-csp' => null,
    'csp' => [
        'report-only' => false,
        'report-uri' => null,
        'block-all-mixed-content' => false,
        'upgrade-insecure-requests' => true,
        /*
         * Please references script-src directive for available values, only `script-src` and `style-src`
         * supports `add-generated-nonce`.
         *
         * Note: when directive value is empty, it will use `none` for that directive.
         */
        'script-src' => [
            'allow' => [

                'https://www.google.com/recaptcha/api.js',
                'https://cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/jquery.validate.js',
                'https://maps.googleapis.com/maps-api-v3/api/js/39/10/common.js',
                'https://maps.googleapis.com/maps-api-v3/api/js/39/10/util.js',
                'https://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.0/TweenMax.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/additional-methods.js',
                'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/ScrollMagic.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/debug.addIndicators.min.js',
   

                'https://connect.facebook.net/en_US/fbevents.js',
            ],
            'hashes' => [
            // 'sha256' => [
            //     'hash-value',
            // ],
            ],
            'nonces' => [
            // 'base64-encoded',
            ],
            'schemes' => [
             'https:',
            ],
            'self' => true,
            'unsafe-inline' => true,
            'unsafe-eval' => true,
            'strict-dynamic' => false,
            'unsafe-hashed-attributes' => false,
            // https://www.chromestatus.com/feature/5792234276388864
            // 'report-sample' => true,
            'add-generated-nonce' => true,
        ],
        'style-src' => [
            'allow' => [
                'https://fonts.googleapis.com/',
                'https://fonts.googleapis.com/css?family=Biryani:200,300,400,500,600,700',
                'https://cdnjs.cloudflare.com/ajax/libs/bootstrap-datetimepicker/4.15.35/css/bootstrap-datetimepicker.min.css',
            ],
            'hashes' => [
            // 'sha256' => [
            //     'hash-value',
            // ],
            ],
            'nonces' => [
            //
            ],
            'schemes' => [
            // 'https:',
            ],
            'self' => true,
            'unsafe-inline' => true,
            // https://www.chromestatus.com/feature/5792234276388864
            // 'report-sample' => true,
            'add-generated-nonce' => false,
        ],
        'img-src' => [
            'allow' => [
            //
            ],
            'schemes' => [
                'data:',
                'https:',
            ],
            'self' => true,
            'data' => true,
        ],
        'default-src' => [
            'none',
        ],
        'base-uri' => [
        //
        ],
        'connect-src' => [
            'allow' => [
                'https://' . parse_url(env('APP_URL'), PHP_URL_HOST) . ':8443/socket.io/',
                'wss://' . parse_url(env('APP_URL'), PHP_URL_HOST) . ':8443/socket.io/',
            ],
            'self' => true,
        ],
        'font-src' => [
            'schemes' => [
                'data:',
                'https:',
            ],
            'self' => true,
            'data' => true,
        ],
        'form-action' => [
            'self' => true,
        ],
        'frame-ancestors' => [
        //
        ],
        'frame-src' => [
            'schemes' => [
                'https:',
            ],
            'self' => true,
        ],
        'media-src' => [
            'allow' => [
               //
            ],
            'self' => true,
        ],
        'object-src' => [
        //
        ],
        'worker-src' => [
        //
        ],
        'plugin-types' => [
        // 'application/x-shockwave-flash',
        ],
        'require-sri-for' => '',
        'sandbox' => '',
    ],
];
    opened by urfusion 9
  • Rename Feature-Policy header to Permissions-Policy

    Rename Feature-Policy header to Permissions-Policy

    According to the following link, the Feature-Policy header is now renamed to the Permissions-Policy.

    https://www.w3.org/TR/permissions-policy-1/

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

    Since yesterday (July 20 2020) started to get errors in Console in the Chrome: "Error with Feature-Policy header: Unrecognized feature: 'display-capture'."

    pending 
    opened by yosifeldman 8
  • The right way to config

    The right way to config

    Hi I'm new in Laravel and I have some questions about your package. I added \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class, to $middlewarePriority in Kernel.php Is that right? And what should I write in secure-headers.php? And how can I be sure that I configured it in the right way? I'm using Laravel 5.8. Thanks in advanced.

    opened by Masoud180 8
  • Get Error parsing header in Chrome Console

    Get Error parsing header in Chrome Console

    Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.

    opened by Kokil 7
  • securityheaders.com still show Big red F

    securityheaders.com still show Big red F

    Hello All,

    1.I have configured as per laravel project and security headers comes in first request of website but all other request like loading js and css that does not have configred security headers.

    2.Also securityheaders.com still show Big red F for my website (https://workversatile.com) Can anyone help me ?

    opened by arshadanjum167 6
  • After setup for laravel, Content-Security-Policy header is not generated

    After setup for laravel, Content-Security-Policy header is not generated

    I see csp is enabled in config file secure-headers.php

    /*
     * Content Security Policy
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
     */

    'csp' => [
        'enable' => true,

    But in header of my site Content-Security-Policy header is not generated

    Results from https://securityheaders.com

    Missing Headers

    Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

    How do I enable this header?

    opened by hyquoccuong 6
  • Laravel duplicates X-Content-Type-Options header

    Laravel duplicates X-Content-Type-Options header

    I am using secure-headers in a Laravel project and get an A when scanning the site using securityheaders.io. I do get the followign two warnings:

    X-Frame-Options There was a duplicate X-Frame-Options header. X-Content-Type-Options There was a duplicate X-Content-Type-Options header.

    Laravel is adding the duplicates from Illuminate\Http\Middleware\FrameGuard.php. Is there a way to prevent this occurring? Thanks

    opened by johnboc 6
  • img issues

    img issues

    Hello and thanks for the great package. Maybe I'm doing this wrong but imgs I have whitelisted are not showing up.

    [Error] Refused to load http://7.t.imgbox.com/nzEqZ9bY.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://5.t.imgbox.com/fqffnT8Y.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://7.t.imgbox.com/nzEqZ9bY.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://5.t.imgbox.com/fqffnT8Y.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://6.t.imgbox.com/ecBXXVws.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://9.t.imgbox.com/pdHrSRyL.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://0.t.imgbox.com/uxFAAuEd.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://6.t.imgbox.com/4ZFjwTBc.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://3.t.imgbox.com/e0a7Dyf8.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://2.t.imgbox.com/43n4c49A.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://assets.fanart.tv/fanart/movies/269149/moviebackground/zootopia-56b0a4adcd559.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://assets.fanart.tv/fanart/movies/269149/movieposter/zootopia-573f3f2c6d6ee.jpg because it does not appear in the img-src directive of the Content Security Policy.

    This is my CSP config

    secure-headers.php 
    <?php

return [

    /*
     * X-Content-Type-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
     *
     * Available Value: 'nosniff'
     */

    'x-content-type-options' => 'nosniff',

    /*
     * X-Download-Options
     *
     * Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
     *
     * Available Value: 'noopen'
     */

    'x-download-options' => 'noopen',

    /*
     * X-Frame-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
     *
     * Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
     */

    'x-frame-options' => 'sameorigin',

    /*
     * X-Permitted-Cross-Domain-Policies
     *
     * Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
     *
     * Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
     */

    'x-permitted-cross-domain-policies' => 'none',

    /*
     * X-XSS-Protection
     *
     * Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter
     *
     * Available Value: '1', '0', '1; mode=block'
     */

    'x-xss-protection' => '1; mode=block',

    /*
     * Referrer-Policy
     *
     * Reference: https://w3c.github.io/webappsec-referrer-policy
     *
     * Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
     *                  'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
     */

    'referrer-policy' => 'strict-origin-when-cross-origin',

    /*
     * HTTP Strict Transport Security
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
     *
     * Please ensure your website had set up ssl/tls before enable hsts.
     */

    'hsts' => [
        'enable' => true,

        'max-age' => 15552000,

        'include-sub-domains' => false,
    ],

    /*
     * Public Key Pinning
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
     *
     * hpkp will be ignored if hashes is empty.
     */

    'hpkp' => [
        'hashes' => [
            // [
            //     'algo' => 'sha256',
            //     'hash' => 'hash-value',
            // ],
        ],

        'include-sub-domains' => false,

        'max-age' => 15552000,

        'report-only' => false,

        'report-uri' => null,
    ],

    /*
     * Content Security Policy
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
     *
     * csp will be ignored if custom-csp is not null. To disable csp, set custom-csp to empty string.
     *
     * Note: custom-csp does not support report-only.
     */

    'custom-csp' => null,

    'csp' => [
        'report-only' => false,

        'report-uri' => null,

        'upgrade-insecure-requests' => false,

        'base-uri' => [
            //
        ],

        'default-src' => [
            'self' => true,
        ],

        'child-src' => [
            //
        ],

        'script-src' => [
            'allow' => [
                'cdnjs.cloudflare.com',
                'cdn.bootcss.com',
                'cdn.datatables.net',
                'ajax.googleapis.com',
                'maxcdn.bootstrapcdn.com',
            ],

            'hashes' => [
                // ['sha256' => 'hash-value'],
            ],

            'nonces' => [
                //
            ],

            'self' => true,

            'unsafe-inline' => true,

            'unsafe-eval' => false,
        ],

        'style-src' => [
            'allow' => [
                'cdn.bootcss.com',
                'fonts.googleapis.com',
                'cdn.rawgit.com',
                'maxcdn.bootstrapcdn.com',
                'cdnjs.cloudflare.com',
                'ajax.googleapis.com',
            ],

            'self' => true,

            'unsafe-inline' => true,
        ],

        'img-src' => [
            'allow' => [
                '*.imgur.com',
                '*.imgbox.com',
                'assets.fanart.tv',
            ],

            'types' => [
                'gif',
                'png',
            ],

            'self' => true,

            'data' => true,
        ],

        /*
         * The following directives are all use 'allow' and 'self' flag.
         *
         * Note: default value of 'self' flag is false.
         */

        'font-src' => [
            'allow' => [
              'fonts.googleapis.com',
              'fonts.gstatic.com',
              'cdn.rawgit.com',
              'maxcdn.bootstrapcdn.com',
            ],
            'self' => true,
        ],

        'connect-src' => [
            'allow' => [
              'www.omdbapi.com',
            ],
            'self' => true,
        ],

        'form-action' => [
            'self' => true,
        ],

        'frame-ancestors' => [
            'self' => true,
        ],

        'media-src' => [
            'self' => true,
        ],

        'object-src' => [
            'self' => true,
        ],

        /*
         * plugin-types only support 'allow'.
         */

        'plugin-types' => [
            //
        ],
    ],

];
    opened by HDVinnie 6
  • Add Nonce on Javascript Navigation

    Add Nonce on Javascript Navigation

    opened by PanjiNamjaElf 5
  • Image data: Question

    Image data: Question

    Im getting a lot of the following.

    Screen-Shot-2019-10-30-at-3-17-43-PM.png

    My Config is so:

            'img-src' => [
            'schemes' => [
                'data:',
                'https:',
            ],
            'self' => true,
            'data' => true,
        ],

    How can I allow all these?

    opened by HDVinnie 5
  • Support for Reporting API and NEL header

    Support for Reporting API and NEL header

    You already support the report-to attribute at CSP. However, this attribute accepts key from Report-To header like shown in this site in examples: developer.mozilla.org.

    What do you think about adding the possibility to set the Report-To standalone header as well? It can report more issues with your site, see https://docs.report-uri.com/setup/reporting-api/.

    And maybe add NEL Header too? This is not really security header but can help with debugging bad HTTPS certificate etc https://report-uri.com/products/network_error_logging

    What do you think about those headers? At least Report-To header could be useful, otherwise, the report-to attribute at CSP is useless.

    opened by arxeiss 2
Owner
null
GitHub
PHP Secure Communications Library

phpseclib - PHP Secure Communications Library Supporting phpseclib Become a backer or sponsor on Patreon One-time donation via PayPal or crypto-curren

null 4.9k Jan 7, 2023
PHP Secure Configuration Checker

PHP Secure Configuration Checker Check current PHP configuration for potential security flaws. Simply access this file from your webserver or run on C

SektionEins GmbH 799 Nov 15, 2022
A multitool library offering access to recommended security related libraries, standardised implementations of security defences, and secure implementations of commonly performed tasks.

SecurityMultiTool A multitool library offering access to recommended security related libraries, standardised implementations of security defences, an

Pádraic Brady 131 Oct 30, 2022
Quickly and easily secure HTML text.

Larasane Quickly sanitize text into safe-HTML using fluid methods. Requirements PHP 7.4, 8.0 or later. Laravel 7.x, 8.x or later. Installation Just fi

Italo 40 Jul 20, 2021
Secure API Toolkit

Sapient: Secure API toolkit Sapient secures your PHP applications' server-to-server HTTP(S) traffic even in the wake of a TLS security breakdown (comp

Paragon Initiative Enterprises 315 Jan 3, 2023
Create cryptographically secure pseudo-random numbers, and manage big integers

laminas-math This package is considered feature-complete, and is now in security-only maintenance mode, following a decision by the Technical Steering

Laminas Project 23 Nov 24, 2022
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

PHPIDS PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web ap

null 752 Jan 3, 2023
php-chmod is a PHP library for easily changing permissions recursively.

PHP chmod php-chmod is a PHP library for easily changing the permissions recursively. Versions & Dependencies Version PHP Documentation ^1.1 ^7.4 curr

Mathias Reker ⚡️ 5 Oct 7, 2022
PHP 5.x support for random_bytes() and random_int()

random_compat PHP 5.x polyfill for random_bytes() and random_int() created and maintained by Paragon Initiative Enterprises. Although this library sho

Paragon Initiative Enterprises 8k Jan 5, 2023
Simple Encryption in PHP.

php-encryption composer require defuse/php-encryption This is a library for encrypting data with a key or password in PHP. It requires PHP 5.6 or new

Taylor Hornby 3.6k Jan 3, 2023
Standards compliant HTML filter written in PHP

HTML Purifier HTML Purifier is an HTML filtering solution that uses a unique combination of robust whitelists and aggressive parsing to ensure that no

Edward Z. Yang 2.7k Jan 5, 2023
A database of PHP security advisories

PHP Security Advisories Database The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries.

null 1.9k Dec 18, 2022
A php.ini scanner for best security practices

Scanner for PHP.ini The Iniscan is a tool designed to scan the given php.ini file for common security practices and report back results. Currently it

psec.io 1.5k Dec 5, 2022
🤖 Id obfuscation based on Knuth's multiplicative hashing method for PHP.

Optimus id transformation With this library, you can transform your internal id's to obfuscated integers based on Knuth's integer hash. It is similar

Jens Segers 1.2k Jan 2, 2023
㊙️ AntiXSS | Protection against Cross-site scripting (XSS) via PHP

㊙️ AntiXSS "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inje

Lars Moelleken 570 Dec 16, 2022
An experimental object oriented SSH api in PHP

PHP SSH (master) Provides an object-oriented wrapper for the php ssh2 extension. Requirements You need PHP version 5.3+ with the SSH2 extension. Insta

Antoine Hérault 355 Dec 6, 2022
TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library

About TCrypto is a simple and flexible PHP 5.3+ in-memory key-value storage library. By default, a cookie will be used as a storage backend. TCrypto h

timoh 57 Dec 2, 2022
Fetches random integers from random.org instead of using PHP's PRNG implementation

TrulyRandom Composer-compatible library to interact with random.org's API in order to generate truly random lists of integers, sequences of integers,

Erik Wurzer 46 Nov 25, 2022
PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

PHPGGC: PHP Generic Gadget Chains PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatica

Ambionics Security 2.5k Jan 4, 2023