PHP Secure Headers

Related tags

HTTP php secure-headers csp hsts referrer-policy laravel laravel-package content-security-policy expect-ct feature-policy clear-site-data
Overview

Secure Headers

Financial Contributors on Open Collective Actions Status Latest Stable Version Total Downloads License

Add security related headers to HTTP response. The package includes Service Providers for easy Laravel integration.

Version

7.2.0

Supported Laravel Version

5.1 ~ 9.x

Installation

Non Laravel Project

Install using composer

composer require bepsvpt/secure-headers

Copy config file to your project directory

cp vendor/bepsvpt/secure-headers/config/secure-headers.php path/to/your/project/directory

Set up config file

Done!

Laravel Project

Install using composer

composer require bepsvpt/secure-headers

Add service provider in config/app.php ( laravel version < 5.5 )

Bepsvpt\SecureHeaders\SecureHeadersServiceProvider::class,

Publish config file

php artisan vendor:publish --provider="Bepsvpt\SecureHeaders\SecureHeadersServiceProvider"

Add global middleware in app/Http/Kernel.php

\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,

Set up config file config/secure-headers.php

Done!

Lumen Project

Install using composer

composer require bepsvpt/secure-headers

Add service provider in bootstrap/app.php

$app->register(Bepsvpt\SecureHeaders\SecureHeadersServiceProvider::class);

Copy config file to project directory

mkdir config
cp vendor/bepsvpt/secure-headers/config/secure-headers.php config/secure-headers.php

Add global middleware in bootstrap/app.php

$app->middleware([
   \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,
]);

Set up config file config/secure-headers.php

Done!

Usage(Non Laravel Project)

Do not forget to import namespace.

<?php

use \Bepsvpt\SecureHeaders\SecureHeaders;

Instance

<?php

// instantiate the class by fromFile static method
$secureHeaders = SecureHeaders::fromFile('/path/to/secure-headers.php');

// or instantiate the class directly
$config = require '/path/to/secure-headers.php';

$config['key'] = 'value'; // modify config value if needed

$secureHeaders = new SecureHeaders($config);

Send

// Get headers
$secureHeaders->headers();

// Send headers to HTTP response
$secureHeaders->send();

Document and Notice

Please see DOCS for details.

Changelog

Please see CHANGELOG for details.

Upgrade

Please see UPGRADE for details.

Contributors

Financial Contributors

Become a financial contributor and help us sustain our community. [Contribute]

Individuals

Organizations

Support this project with your organization. Your logo will show up here with a link to your website. [Contribute]

License

Secure Headers is licensed under The MIT License (MIT).

Comments
  • I need use url logo in footers website

    I need use url logo in footers website

    Hi I need use url logo in footers website :

    https://logo.samandehi.ir/logo.aspx?id=125527&p=nbpdodrfujynujynodrfyndt https://trustseal.enamad.ir/logo.aspx?id=85695&p=6hcAP0z1rV586Pk9

    it is not show What am i doing wrong? Thanks

    opened by msadeqi 10
  • Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

    Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

    I am continually getting below error

    Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).

    Below is my file

    <?php

return [
    /*
     * Server
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
     *
     * Note: when server is empty string, it will not add to response header
     */

    'server' => 'Unknown',
    /*
     * X-Content-Type-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
     *
     * Available Value: 'nosniff'
     */
    'x-content-type-options' => 'nosniff',
    /*
     * X-Download-Options
     *
     * Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
     *
     * Available Value: 'noopen'
     */
    'x-download-options' => 'noopen',
    /*
     * X-Frame-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
     *
     * Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
     */
    'x-frame-options' => 'sameorigin',
    /*
     * X-Permitted-Cross-Domain-Policies
     *
     * Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
     *
     * Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
     */
    'x-permitted-cross-domain-policies' => 'none',
    /*
     * X-Power-By
     *
     * Note: it will not add to response header if the value is empty string.
     */
    'x-power-by' => '',
    /*
     * X-XSS-Protection
     *
     * Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter
     *
     * Available Value: '1', '0', '1; mode=block'
     */
    'x-xss-protection' => '1; mode=block',
    /*
     * Referrer-Policy
     *
     * Reference: https://w3c.github.io/webappsec-referrer-policy
     *
     * Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
     *                  'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
     */
    'referrer-policy' => 'no-referrer',
    /*
     * Clear-Site-Data
     *
     * Reference: https://w3c.github.io/webappsec-clear-site-data/
     */
    'clear-site-data' => [
        'enable' => false,
        'all' => false,
        'cache' => true,
        'cookies' => true,
        'storage' => true,
        'executionContexts' => true,
    ],
    /*
     * HTTP Strict Transport Security
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
     *
     * Please ensure your website had set up ssl/tls before enable hsts.
     */
    'hsts' => [
        'enable' => true,
        'max-age' => 15552000,
        'include-sub-domains' => true,
        'preload' => false,
    ],
    /*
     * Expect-CT
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
     */
    'expect-ct' => [
        'enable' => false,
        'max-age' => 2147483648,
        'enforce' => false,
        'report-uri' => null,
    ],
    /*
     * Public Key Pinning
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
     *
     * hpkp will be ignored if hashes is empty.
     */
    'hpkp' => [
        'hashes' => [
        // 'sha256-hash-value',
        ],
        'include-sub-domains' => false,
        'max-age' => 15552000,
        'report-only' => false,
        'report-uri' => null,
    ],
    /*
     * Feature Policy
     *
     * Reference: https://wicg.github.io/feature-policy/
     */
    'feature-policy' => [
        'enable' => true,
        /*
         * Each directive details can be found on:
         *
         * https://github.com/WICG/feature-policy/blob/master/features.md
         *
         * 'none', '*' and 'self allow' are mutually exclusive,
         * the priority is 'none' > '*' > 'self allow'.
         */
        'accelerometer' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'ambient-light-sensor' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'autoplay' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'camera' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'display-capture' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'document-domain' => [
            'none' => false,
            '*' => true,
            'self' => false,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'encrypted-media' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'fullscreen' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'geolocation' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'gyroscope' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'magnetometer' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'microphone' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'midi' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'payment' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'picture-in-picture' => [
            'none' => false,
            '*' => true,
            'self' => false,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'speaker' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'sync-xhr' => [
            'none' => false,
            '*' => true,
            'self' => false,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'usb' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
        'vr' => [
            'none' => false,
            '*' => false,
            'self' => true,
            'src' => false,
            'allow' => [
            // 'url',
            ],
        ],
    ],
    /*
     * Content Security Policy
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
     *
     * csp will be ignored if custom-csp is not null. To disable csp, set custom-csp to empty string.
     *
     * Note: custom-csp does not support report-only.
     */
    'custom-csp' => null,
    'csp' => [
        'report-only' => false,
        'report-uri' => null,
        'block-all-mixed-content' => false,
        'upgrade-insecure-requests' => true,
        /*
         * Please references script-src directive for available values, only `script-src` and `style-src`
         * supports `add-generated-nonce`.
         *
         * Note: when directive value is empty, it will use `none` for that directive.
         */
        'script-src' => [
            'allow' => [

                'https://www.google.com/recaptcha/api.js',
                'https://cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/jquery.validate.js',
                'https://maps.googleapis.com/maps-api-v3/api/js/39/10/common.js',
                'https://maps.googleapis.com/maps-api-v3/api/js/39/10/util.js',
                'https://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.0/TweenMax.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/additional-methods.js',
                'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/ScrollMagic.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.min.js',
                'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/debug.addIndicators.min.js',
   

                'https://connect.facebook.net/en_US/fbevents.js',
            ],
            'hashes' => [
            // 'sha256' => [
            //     'hash-value',
            // ],
            ],
            'nonces' => [
            // 'base64-encoded',
            ],
            'schemes' => [
             'https:',
            ],
            'self' => true,
            'unsafe-inline' => true,
            'unsafe-eval' => true,
            'strict-dynamic' => false,
            'unsafe-hashed-attributes' => false,
            // https://www.chromestatus.com/feature/5792234276388864
            // 'report-sample' => true,
            'add-generated-nonce' => true,
        ],
        'style-src' => [
            'allow' => [
                'https://fonts.googleapis.com/',
                'https://fonts.googleapis.com/css?family=Biryani:200,300,400,500,600,700',
                'https://cdnjs.cloudflare.com/ajax/libs/bootstrap-datetimepicker/4.15.35/css/bootstrap-datetimepicker.min.css',
            ],
            'hashes' => [
            // 'sha256' => [
            //     'hash-value',
            // ],
            ],
            'nonces' => [
            //
            ],
            'schemes' => [
            // 'https:',
            ],
            'self' => true,
            'unsafe-inline' => true,
            // https://www.chromestatus.com/feature/5792234276388864
            // 'report-sample' => true,
            'add-generated-nonce' => false,
        ],
        'img-src' => [
            'allow' => [
            //
            ],
            'schemes' => [
                'data:',
                'https:',
            ],
            'self' => true,
            'data' => true,
        ],
        'default-src' => [
            'none',
        ],
        'base-uri' => [
        //
        ],
        'connect-src' => [
            'allow' => [
                'https://' . parse_url(env('APP_URL'), PHP_URL_HOST) . ':8443/socket.io/',
                'wss://' . parse_url(env('APP_URL'), PHP_URL_HOST) . ':8443/socket.io/',
            ],
            'self' => true,
        ],
        'font-src' => [
            'schemes' => [
                'data:',
                'https:',
            ],
            'self' => true,
            'data' => true,
        ],
        'form-action' => [
            'self' => true,
        ],
        'frame-ancestors' => [
        //
        ],
        'frame-src' => [
            'schemes' => [
                'https:',
            ],
            'self' => true,
        ],
        'media-src' => [
            'allow' => [
               //
            ],
            'self' => true,
        ],
        'object-src' => [
        //
        ],
        'worker-src' => [
        //
        ],
        'plugin-types' => [
        // 'application/x-shockwave-flash',
        ],
        'require-sri-for' => '',
        'sandbox' => '',
    ],
];
    opened by urfusion 9
  • Rename Feature-Policy header to Permissions-Policy

    Rename Feature-Policy header to Permissions-Policy

    According to the following link, the Feature-Policy header is now renamed to the Permissions-Policy.

    https://www.w3.org/TR/permissions-policy-1/

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

    Since yesterday (July 20 2020) started to get errors in Console in the Chrome: "Error with Feature-Policy header: Unrecognized feature: 'display-capture'."

    pending 
    opened by yosifeldman 8
  • The right way to config

    The right way to config

    Hi I'm new in Laravel and I have some questions about your package. I added \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class, to $middlewarePriority in Kernel.php Is that right? And what should I write in secure-headers.php? And how can I be sure that I configured it in the right way? I'm using Laravel 5.8. Thanks in advanced.

    opened by Masoud180 8
  • Get Error parsing header in Chrome Console

    Get Error parsing header in Chrome Console

    Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.

    opened by Kokil 7
  • securityheaders.com still show Big red F

    securityheaders.com still show Big red F

    Hello All,

    1.I have configured as per laravel project and security headers comes in first request of website but all other request like loading js and css that does not have configred security headers.

    2.Also securityheaders.com still show Big red F for my website (https://workversatile.com) Can anyone help me ?

    opened by arshadanjum167 6
  • After setup for laravel, Content-Security-Policy header is not generated

    After setup for laravel, Content-Security-Policy header is not generated

    I see csp is enabled in config file secure-headers.php

    /*
     * Content Security Policy
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
     */

    'csp' => [
        'enable' => true,

    But in header of my site Content-Security-Policy header is not generated

    Results from https://securityheaders.com

    Missing Headers

    Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

    How do I enable this header?

    opened by hyquoccuong 6
  • Laravel duplicates X-Content-Type-Options header

    Laravel duplicates X-Content-Type-Options header

    I am using secure-headers in a Laravel project and get an A when scanning the site using securityheaders.io. I do get the followign two warnings:

    X-Frame-Options There was a duplicate X-Frame-Options header. X-Content-Type-Options There was a duplicate X-Content-Type-Options header.

    Laravel is adding the duplicates from Illuminate\Http\Middleware\FrameGuard.php. Is there a way to prevent this occurring? Thanks

    opened by johnboc 6
  • img issues

    img issues

    Hello and thanks for the great package. Maybe I'm doing this wrong but imgs I have whitelisted are not showing up.

    [Error] Refused to load http://7.t.imgbox.com/nzEqZ9bY.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://5.t.imgbox.com/fqffnT8Y.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://7.t.imgbox.com/nzEqZ9bY.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://5.t.imgbox.com/fqffnT8Y.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://6.t.imgbox.com/ecBXXVws.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://9.t.imgbox.com/pdHrSRyL.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://0.t.imgbox.com/uxFAAuEd.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://6.t.imgbox.com/4ZFjwTBc.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://3.t.imgbox.com/e0a7Dyf8.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://2.t.imgbox.com/43n4c49A.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://assets.fanart.tv/fanart/movies/269149/moviebackground/zootopia-56b0a4adcd559.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://assets.fanart.tv/fanart/movies/269149/movieposter/zootopia-573f3f2c6d6ee.jpg because it does not appear in the img-src directive of the Content Security Policy.

    This is my CSP config

    secure-headers.php 
    <?php

return [

    /*
     * X-Content-Type-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
     *
     * Available Value: 'nosniff'
     */

    'x-content-type-options' => 'nosniff',

    /*
     * X-Download-Options
     *
     * Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
     *
     * Available Value: 'noopen'
     */

    'x-download-options' => 'noopen',

    /*
     * X-Frame-Options
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
     *
     * Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
     */

    'x-frame-options' => 'sameorigin',

    /*
     * X-Permitted-Cross-Domain-Policies
     *
     * Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
     *
     * Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
     */

    'x-permitted-cross-domain-policies' => 'none',

    /*
     * X-XSS-Protection
     *
     * Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter
     *
     * Available Value: '1', '0', '1; mode=block'
     */

    'x-xss-protection' => '1; mode=block',

    /*
     * Referrer-Policy
     *
     * Reference: https://w3c.github.io/webappsec-referrer-policy
     *
     * Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
     *                  'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
     */

    'referrer-policy' => 'strict-origin-when-cross-origin',

    /*
     * HTTP Strict Transport Security
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
     *
     * Please ensure your website had set up ssl/tls before enable hsts.
     */

    'hsts' => [
        'enable' => true,

        'max-age' => 15552000,

        'include-sub-domains' => false,
    ],

    /*
     * Public Key Pinning
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
     *
     * hpkp will be ignored if hashes is empty.
     */

    'hpkp' => [
        'hashes' => [
            // [
            //     'algo' => 'sha256',
            //     'hash' => 'hash-value',
            // ],
        ],

        'include-sub-domains' => false,

        'max-age' => 15552000,

        'report-only' => false,

        'report-uri' => null,
    ],

    /*
     * Content Security Policy
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
     *
     * csp will be ignored if custom-csp is not null. To disable csp, set custom-csp to empty string.
     *
     * Note: custom-csp does not support report-only.
     */

    'custom-csp' => null,

    'csp' => [
        'report-only' => false,

        'report-uri' => null,

        'upgrade-insecure-requests' => false,

        'base-uri' => [
            //
        ],

        'default-src' => [
            'self' => true,
        ],

        'child-src' => [
            //
        ],

        'script-src' => [
            'allow' => [
                'cdnjs.cloudflare.com',
                'cdn.bootcss.com',
                'cdn.datatables.net',
                'ajax.googleapis.com',
                'maxcdn.bootstrapcdn.com',
            ],

            'hashes' => [
                // ['sha256' => 'hash-value'],
            ],

            'nonces' => [
                //
            ],

            'self' => true,

            'unsafe-inline' => true,

            'unsafe-eval' => false,
        ],

        'style-src' => [
            'allow' => [
                'cdn.bootcss.com',
                'fonts.googleapis.com',
                'cdn.rawgit.com',
                'maxcdn.bootstrapcdn.com',
                'cdnjs.cloudflare.com',
                'ajax.googleapis.com',
            ],

            'self' => true,

            'unsafe-inline' => true,
        ],

        'img-src' => [
            'allow' => [
                '*.imgur.com',
                '*.imgbox.com',
                'assets.fanart.tv',
            ],

            'types' => [
                'gif',
                'png',
            ],

            'self' => true,

            'data' => true,
        ],

        /*
         * The following directives are all use 'allow' and 'self' flag.
         *
         * Note: default value of 'self' flag is false.
         */

        'font-src' => [
            'allow' => [
              'fonts.googleapis.com',
              'fonts.gstatic.com',
              'cdn.rawgit.com',
              'maxcdn.bootstrapcdn.com',
            ],
            'self' => true,
        ],

        'connect-src' => [
            'allow' => [
              'www.omdbapi.com',
            ],
            'self' => true,
        ],

        'form-action' => [
            'self' => true,
        ],

        'frame-ancestors' => [
            'self' => true,
        ],

        'media-src' => [
            'self' => true,
        ],

        'object-src' => [
            'self' => true,
        ],

        /*
         * plugin-types only support 'allow'.
         */

        'plugin-types' => [
            //
        ],
    ],

];
    opened by HDVinnie 6
  • Add Nonce on Javascript Navigation

    Add Nonce on Javascript Navigation

    opened by PanjiNamjaElf 5
  • Image data: Question

    Image data: Question

    Im getting a lot of the following.

    Screen-Shot-2019-10-30-at-3-17-43-PM.png

    My Config is so:

            'img-src' => [
            'schemes' => [
                'data:',
                'https:',
            ],
            'self' => true,
            'data' => true,
        ],

    How can I allow all these?

    opened by HDVinnie 5
  • Support for Reporting API and NEL header

    Support for Reporting API and NEL header

    You already support the report-to attribute at CSP. However, this attribute accepts key from Report-To header like shown in this site in examples: developer.mozilla.org.

    What do you think about adding the possibility to set the Report-To standalone header as well? It can report more issues with your site, see https://docs.report-uri.com/setup/reporting-api/.

    And maybe add NEL Header too? This is not really security header but can help with debugging bad HTTPS certificate etc https://report-uri.com/products/network_error_logging

    What do you think about those headers? At least Report-To header could be useful, otherwise, the report-to attribute at CSP is useless.

    opened by arxeiss 2
Owner
null
GitHub
A library that makes the management of WordPress file headers easier.

Pronamic WordPress File Header Many WordPress plugins contain bash scripts with sed and awk commands to update WordPress file headers. Because sed and

Pronamic 3 Oct 6, 2022
PHP Secure Communications Library

phpseclib - PHP Secure Communications Library Supporting phpseclib Become a backer or sponsor on Patreon One-time donation via PayPal or crypto-curren

null 4.9k Jan 3, 2023
Retrofit implementation in PHP. A REST client for PHP.

Retrofit PHP Retrofit is a type-safe REST client. It is blatantly stolen from square/retrofit and implemented in PHP. ❗ UPGRADE NOTICE ❗ Version 3 int

null 153 Dec 21, 2022
HTTP header kit for PHP 7.1+ (incl. PHP 8) based on PSR-7

HTTP header kit for PHP 7.1+ (incl. PHP 8) based on PSR-7 Installation composer require sunrise/http-header-kit How to use? HTTP Header Collection Mor

Sunrise // PHP 63 Dec 31, 2022
Express.php is a new HTTP - Server especially made for RESTful APIs written in PHP.

express.php Express.php is a new HTTP - Server especially made for RESTful APIs written in PHP. Features Fast The Library is handles requests fast and

null 5 Aug 19, 2022
PHP Curl ile letgo api kütüphanesi oluşturuldu. php ile letgo giriş yap.

Kendi LETGO API ile işlemler gerçekleştirelim. // email işlemleri $server = 'imap.gmail.com'; $user = '[email protected]'; $pass = 'password'; $port = 9

Görkem Bayraktar 2 Nov 3, 2022
Guzzle, an extensible PHP HTTP client

Guzzle, PHP HTTP client Guzzle is a PHP HTTP client that makes it easy to send HTTP requests and trivial to integrate with web services. Simple interf

Guzzle 22.3k Jan 2, 2023
Requests for PHP is a humble HTTP request library. It simplifies how you interact with other sites and takes away all your worries.

Requests for PHP Requests is a HTTP library written in PHP, for human beings. It is roughly based on the API from the excellent Requests Python librar

null 3.5k Dec 31, 2022
A Chainable, REST Friendly, PHP HTTP Client. A sane alternative to cURL.

Httpful Httpful is a simple Http Client library for PHP 7.2+. There is an emphasis of readability, simplicity, and flexibility – basically provide the

Nate Good 1.7k Dec 21, 2022
PHP's lightweight HTTP client

Buzz - Scripted HTTP browser Buzz is a lightweight (<1000 lines of code) PHP 7.1 library for issuing HTTP requests. The library includes three clients

Kris Wallsmith 1.9k Jan 4, 2023
HTTPlug, the HTTP client abstraction for PHP

HTTPlug HTTPlug, the HTTP client abstraction for PHP. Intro HTTP client standard built on PSR-7 HTTP messages. The HTTPlug client interface is compati

The PHP HTTP group 2.4k Dec 30, 2022
Requests for PHP is a humble HTTP request library. It simplifies how you interact with other sites and takes away all your worries.

Requests for PHP Requests is a HTTP library written in PHP, for human beings. It is roughly based on the API from the excellent Requests Python librar

null 3.5k Dec 31, 2022
Unirest in PHP: Simplified, lightweight HTTP client library.

Unirest for PHP Unirest is a set of lightweight HTTP libraries available in multiple languages, built and maintained by Mashape, who also maintain the

Kong 1.3k Dec 28, 2022
PHP Curl Class makes it easy to send HTTP requests and integrate with web APIs

PHP Curl Class: HTTP requests made easy PHP Curl Class makes it easy to send HTTP requests and integrate with web APIs. Installation Requirements Quic

null 3.1k Jan 5, 2023
Simple handler system used to power clients and servers in PHP (this project is no longer used in Guzzle 6+)

RingPHP Provides a simple API and specification that abstracts away the details of HTTP into a single PHP function. RingPHP be used to power HTTP clie

Guzzle 846 Dec 6, 2022
The best php curl library.

中文文档 About Implemented by using php-curl internal io event with high performance,high universality,high extensibility which especially suitable for ma

Ares 431 Dec 12, 2022
Custom PHP curl library for the Laravel 5 framework - developed by Ixudra

ixudra/curl Custom PHP cURL library for the Laravel 4 or 5 framework - developed by Ixudra. The package provides an easy interface for sending cURL re

Jan Oris 556 Jan 6, 2023
PHP cURL for feed Instagram Graph API

php-curl-instagram-graph PHP cURL for feed Instagram Graph API Script made based on the new (2020) Instagram API that requires authorization token gen

null 12 Apr 13, 2022
↪️ Bypass for PHP creates a custom HTTP Server to return predefined responses to client requests

Bypass for PHP provides a quick way to create a custom HTTP Server to return predefined responses to client requests.Useful for tests with Pest PHP or PHPUnit.

CiaReis 101 Dec 1, 2022