bepsvpt / secure-headers Goto Github PK
View Code? Open in Web Editor NEWPHP Secure Headers
License: MIT License
secure-headers's People
Contributors
Stargazers
Watchers
Forkers
joseconsador jamesko1026 petr-pokorny captn3m0 tedyl nomadtechiemike hotarusawamura camilogarzon osub grzchr15 ruudy-es muhammed2018ab jafari1989 zaghyr sinkcup ngocnd0242 ezetechlabs x3ns dtannen mattdfloyd phuongmychi envatic christattum ndinhbang essential-writer-codebase esameisa dwightwatson panjinamjaelf hichxm samjidiamond winkbrace aesyondu titanman1989 knpau barryvanveen behnamhosseini mineirim thiagovictorino boserup mkguru77 yohn wilbernight pravinshahi0007 yasiendwieb jazosecure-headers's Issues
Add New Header: Feature Policy
Love the package, great work on it.
Could you look into adding support for the new security header: Feature Policy?
Details on what it entails can be found here.
X-Powered-By header name
I think that the header is X-Powered-By instead of X-Power-By
Laravel Issue
When i add the global middleware \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class, in my app/http/kernel.php , whenever a validation fails in a form it redirects back to '/' route instead of back to the form with errors. or whenever i call redirect()->back() method it redirects to the default route '/' .
This only happens with the global middleware set.
Unrecognized feature: 'display-capture'
Hey 👋 I'm getting the following error on Chrome. Is display-capture a valid policy?
Error with Feature-Policy header: Unrecognized feature: 'display-capture'.
Data protocol not being added to content-security-policy header
My secure-headers.php has the following rules for img-src:
'img-src' => [
'allow' => [
env('APP_URL') . '/',
],
'types' => [
//
],
'self' => true,
'data' => true,
],
However when I try to upload an image via a form as soon as the image is dropped on to the input I get the following error:
Refused to load the image 'data:image/jpeg;base64,/9j/4aI5RXhpZgAASUkqAA....//Z' because it violates the following Content Security Policy directive: "img-src 'self' http://localhost:3000/".
It appears that 'data' => true is being ignored.
X-Powered-By keep showing when I leave it empty in config file
In Laravel config/secure-headers.php
/*
* X-Powered-By
*
* Note: it will not add to response header if the value is empty string.
*/
'x-powered-by' => '',
But in header it shows
X-Powered-By: PHP/7.2.28
If I change the value:
'x-powered-by' => config('app.name'),
Header shows:
X-Powered-By: PHP/7.2.28
X-Powered-By: Laraspace
And if I change the config to
'x-powered-by' => [
'enable' => false,
],
Now it shows:
X-Powered-By: PHP/7.2.28
X-Powered-By
I just want to hide/remove it completely or just show one line with set value in config file, could you please let me know how to do that?
Error when loading data:image - violates csp
Getting error loading data:image.
FileList {0: File(805286), length: 1}
edit:1 Refused to load the image 'data:image/jpeg;base64,/9j/4T+DRXhpZk=' because it violates the following Content Security Policy directive: "img-src 'self' http://ajax.googleapis.com http://cdnjs.cloudflare.com http://*.tawk.to http://code.jquery.com".
'img-src' => [ 'allow' => [ $protocol . 'ajax.googleapis.com', $protocol . 'cdnjs.cloudflare.com', $protocol . '*.tawk.to', $protocol . 'code.jquery.com', ], 'self' => true, 'data' => true, ],
What am i doing wrong?
Thanks
Error 500 in Laravel
Since I added this package middleware to my kernel.php my website return error 500 and even turning debug mode to true in .env file it does not show what the error is. But if I comment the middleware my site runs as usual without issue.
Config file
<?php
$protocol = 'https://';
if (! isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'off') {
$protocol = 'http://';
}
return [
/*
* Server
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
*
* Note: when server is empty string, it will not add to response header
*/
'server' => '',
/*
* X-Content-Type-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
*
* Available Value: 'nosniff'
*/
'x-content-type-options' => 'nosniff',
/*
* X-Download-Options
*
* Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
*
* Available Value: 'noopen'
*/
'x-download-options' => 'noopen',
/*
* X-Frame-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
*
* Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
*/
'x-frame-options' => 'sameorigin',
/*
* X-Permitted-Cross-Domain-Policies
*
* Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
*
* Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
*/
'x-permitted-cross-domain-policies' => 'none',
/*
* X-Powered-By
*
* Note: it will not add to response header if the value is empty string.
*/
'x-powered-by' => '',
/*
* X-XSS-Protection
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
*
* Available Value: '1', '0', '1; mode=block'
*/
'x-xss-protection' => '1; mode=block',
/*
* Referrer-Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
*
* Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
* 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
*/
'referrer-policy' => 'no-referrer',
/*
* Clear-Site-Data
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
*/
'clear-site-data' => [
'enable' => false,
'all' => false,
'cache' => true,
'cookies' => true,
'storage' => true,
'executionContexts' => true,
],
/*
* HTTP Strict Transport Security
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
*
* Please ensure your website had set up ssl/tls before enable hsts.
*/
'hsts' => [
'enable' => true,
'max-age' => 31536000,
'include-sub-domains' => true,
'preload' => false,
],
/*
* Expect-CT
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
*/
'expect-ct' => [
'enable' => false,
'max-age' => 2147483648,
'enforce' => false,
// report uri must be absolute-URI
'report-uri' => null,
],
/*
* Permissions Policy
*
* Reference: https://w3c.github.io/webappsec-permissions-policy/
*/
'permissions-policy' => [
'enable' => true,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/accelerometer
'accelerometer' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/ambient-light-sensor
'ambient-light-sensor' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/autoplay
'autoplay' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/battery
'battery' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/camera
'camera' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://www.chromestatus.com/feature/5690888397258752
// 'cross-origin-isolated' => [
// 'none' => false,
// '*' => false,
// 'self' => true,
// 'origins' => [],
// ],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/display-capture
'display-capture' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/document-domain
'document-domain' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/encrypted-media
'encrypted-media' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://wicg.github.io/page-lifecycle/#execution-while-not-rendered
'execution-while-not-rendered' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://wicg.github.io/page-lifecycle/#execution-while-out-of-viewport
'execution-while-out-of-viewport' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/fullscreen
'fullscreen' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/geolocation
'geolocation' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/gyroscope
'gyroscope' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/magnetometer
'magnetometer' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/microphone
'microphone' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/midi
'midi' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://drafts.csswg.org/css-nav-1/
'navigation-override' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/payment
'payment' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/picture-in-picture
'picture-in-picture' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials-get
'publickey-credentials-get' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/screen-wake-lock
'screen-wake-lock' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/sync-xhr
'sync-xhr' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/usb
'usb' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/web-share
'web-share' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking
'xr-spatial-tracking' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
],
/*
* Content Security Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
*/
'csp' => [
'enable' => true,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
'report-only' => false,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
'report-to' => '',
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
'report-uri' => [
// uri
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
'block-all-mixed-content' => false,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
'upgrade-insecure-requests' => false,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
'base-uri' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src
'child-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
'connect-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
'default-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
'font-src' => [
'allow' => [
$protocol.'fonts.gstatic.com',
],
'self' => true,
'data' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action
'form-action' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
'frame-ancestors' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
'frame-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
'img-src' => [
'allow' => [
$protocol.'www.google-analytics.com',
],
'self' => true,
'data' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src
'manifest-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
'media-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to
'navigate-to' => [
'unsafe-allow-redirects' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
'object-src' => [
'allow' => [],
'self' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types
'plugin-types' => [
// 'application/pdf',
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src
'prefetch-src' => [
//
],
// https://w3c.github.io/webappsec-trusted-types/dist/spec/#integration-with-content-security-policy
'require-trusted-types-for' => [
'script' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
'sandbox' => [
'enable' => false,
'allow-downloads-without-user-activation' => false,
'allow-forms' => false,
'allow-modals' => false,
'allow-orientation-lock' => false,
'allow-pointer-lock' => false,
'allow-popups' => false,
'allow-popups-to-escape-sandbox' => false,
'allow-presentation' => false,
'allow-same-origin' => false,
'allow-scripts' => false,
'allow-storage-access-by-user-activation' => false,
'allow-top-navigation' => false,
'allow-top-navigation-by-user-activation' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
'script-src' => [
'none' => false,
'self' => true,
'report-sample' => false,
'allow' => [
// 'url',
$protocol.'ajax.googleapis.com',
$protocol.'code.jquery.com',
$protocol.'www.googletagmanager.com',
$protocol.'www.google-analytics.com',
],
'schemes' => [
// 'data:',
// 'https:',
],
/* followings are only work for `script` and `style` related directives */
'unsafe-inline' => true,
'unsafe-eval' => true,
// https://www.w3.org/TR/CSP3/#unsafe-hashes-usage
'unsafe-hashes' => false,
// Enable `strict-dynamic` will *ignore* `self`, `unsafe-inline`,
// `allow` and `schemes`. You can find more information from:
// https://www.w3.org/TR/CSP3/#strict-dynamic-usage
'strict-dynamic' => false,
'hashes' => [
'sha256' => [
// 'sha256-hash-value-with-base64-encode',
],
'sha384' => [
// 'sha384-hash-value-with-base64-encode',
],
'sha512' => [
// 'sha512-hash-value-with-base64-encode',
],
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr
'script-src-attr' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem
'script-src-elem' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
'style-src' => [
'allow' => [
$protocol.'fonts.googleapis.com',
],
'self' => true,
'unsafe-inline' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr
'style-src-attr' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem
'style-src-elem' => [
//
],
// https://w3c.github.io/webappsec-trusted-types/dist/spec/#trusted-types-csp-directive
'trusted-types' => [
'enable' => false,
'allow-duplicates' => false,
'default' => false,
'policies' => [
//
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src
'worker-src' => [
//
],
],
];Any idea why?
Add CSP Report To
Hi
Can you add CSP Report To option ?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
Add route whitelist
Great package... in fact, too good.
I have an Outlook Addin that's served from my Laravel web app. It's a single page, but it requires users to be logged in, otherwise I'd host it outside of Laravel.
As soon as CSP is enabled, the Outlook Addin stops working and finding the cause is proving to be a nightmare.
Would it be possible to add a route whitelist so secure headers can be disabled for specific routes?
How to generate "nonce" and add generated code to script and style tags?
Hi @bepsvpt, i have another trouble, how can i add a "nonce" key and add it to script an style tags?
I want to fix Content Security Policy on my Laravel App.
undefined index: x-content-type-options
what did i do wrong?, pretty much clean install and enable config are set as env == production.
Tags after merge
Hi,
Can you please tag this and https://github.com/BePsvPT/csp-builder after my PRs merge?
Also increase the composer.json line that refers to csp-builder.
I do not why but it looks like default-src is not adding the values on "allow" position to the 'self' value, will try to give you more info after solve the prefecth problem we are having.
Thanks!
redirected to file's directory while validation Laravel
Laravel
while form submits goes to request file app/Http/Requests/.... but return back to an unknown location.
nonces not cleared when unit testing
When running unit tests nonces will be automatically created if applicable. However, the nonces are not cleared between tests. If you have many unit tests this will impact testing performance and resources.
Add the following test (that will fail deliberately) to your application that contains many tests:
public function test_security_headers_just_fail()
{
$headers = $this->get(route('/'))->headers;
$this->assertStringContainsString("justfail", $headers->get('content-security-policy'));
}You will see something similar to:
PHPUnit 8.5.1 by Sebastian Bergmann and contributors.
............................................................... 63 / 611 ( 10%)
............................................................... 126 / 611 ( 20%)
............................................................... 189 / 611 ( 30%)
............................................................... 252 / 611 ( 41%)
...........F................................................... 315 / 611 ( 51%)
............................................................... 378 / 611 ( 61%)
............................................................... 441 / 611 ( 72%)
............................................................... 504 / 611 ( 82%)
............................................................... 567 / 611 ( 92%)
........................I................... 611 / 611 (100%)
Time: 14.39 minutes, Memory: 184.50 MB
There was 1 failure:
1) Tests\Feature\SecurityHeadersTest::test_security_headers_just_fail
Failed asserting that 'base-uri 'self'; object-src 'none'; script-src 'unsafe-inline' 'nonce-NzY1Mjc5M2EwZGNkNzdlYQ==' 'nonce-ZDc4ODcxYTc0MDIyM2I5Nw==' 'nonce-ZTlmZmE4NjA0MWNjNTMwNw==' 'nonce-ZjRkNGFkNGQ5OTk0NjQ0Yw==' 'nonce-NDE2ZDAyYjcwN2ZiMjE5Yg==' 'nonce-MGQzYmRjNzM2NTUxMDQyMg==' 'nonce-ZTllYWU1NTZkN2U5MTE4Mw==' 'nonce-ZWIzNWExMjc5ZDE0NTAzYQ==' 'nonce-MDU3YzA5ZTU0NDJlODI4MQ==' 'nonce-NzMwOGY1MzllNjVkNTA1Mw==' 'nonce-ZTRiYTQyMTEwMmQwNjUxZQ==' 'nonce-YmE0Nzk5MzA2ZTllZTg3NA==' 'nonce-ZGJlNzQ2YTRjMGFlZTM4NQ==' 'nonce-M2I5NDQ4MTU5NTExNDgwMg==' 'nonce-MDA1YzJlNzc4ZDYxMWYxYg==' 'nonce-OTM2ZGVlNTQ4ZGQ5OTk1OQ==' 'nonce-MTEyZjRkMGYxOTFmNzI0ZQ==' 'nonce-ZTFiMmQ5NWI3Mzc1YjU3Yg==' 'nonce-OGZhZTI1MDFiNDAxMDJhMQ==' 'nonce-ZGM0ZTNhMWI2MDU4MTViYw==' 'nonce-MjRjMThlNTNkYzBhMTE1Yw==' 'nonce-ODE0MjMxMDU1YTVkMTlkZg==' 'nonce-NTQ3YjRkMTU5ZDM0OTJiYQ==' 'nonce-ZjE2ZWUyYTNmMjkyY2NlNA==' 'nonce-ZjY3MzhiZGQxODQxODY1Mg==' 'nonce-YWUzZWUxY2NhMmIyNzA4Nw==' 'nonce-MjY0MDAxMzM0ODUyYzJjMw==' 'nonce-NTQzM2MxOWYxMTIzMDJlZQ==' 'nonce-Yjg3MTY1Mzg3NWEwZGVjYg==' 'nonce-YjE5ZmUxZTAyZDA3NTU3YQ==' 'nonce-MTVhMjVkODc3MDQ4YTZiOA==' 'nonce-ZWUxZmY5YTJhM2RmNWNiYw==' 'nonce-MjE3ODYxZDE3NWEzMTdiMA==' 'nonce-Mjc1OGQ1NDExMTJmMzc5ZQ==' 'nonce-OWNjNzM1Zjk4YWNlMDU5ZQ==' 'nonce-N2NlZmFjZDNmMTUxNDVhNw==' 'nonce-N2FhMzgxNTExYmViNDhiNQ==' 'nonce-ZTljYTE5NjY5Y2Q4YWFkZg==' 'nonce-M2UxNDY5M2Y0NzcxZjE5Mg==' 'nonce-OTUyZDY2OGZkYjkxMGRjYQ==' 'nonce-MDIwYmRiY2YzYjA3OTZhMA==' 'nonce-ZTNhOTRkYzFiMTk4YzVlZg==' 'nonce-MDE3MzM1Zjc0OThmMDc4ZQ==' 'nonce-ZGE5YTY3NGNkOTQ3ZWNkYg==' 'nonce-MzNiZjBjYmU2Zjk5ODhkZQ==' 'nonce-N2IxYmRkOTlhYTBkODI0OA==' 'nonce-ODY2MTQ1NTBkZGNjNzljMQ=='
<...SNIP MANY MANY MORE NONCES HERE...>
/builds/example/example_app/tests/Feature/SecurityHeadersTest.php:16
FAILURES!
Tests: 611, Assertions: 3072, Failures: 1, Incomplete: 1.
Support for Reporting API and NEL header
You already support the report-to attribute at CSP. However, this attribute accepts key from Report-To header like shown in this site in examples: developer.mozilla.org.
What do you think about adding the possibility to set the Report-To standalone header as well? It can report more issues with your site, see https://docs.report-uri.com/setup/reporting-api/.
And maybe add NEL Header too? This is not really security header but can help with debugging bad HTTPS certificate etc https://report-uri.com/products/network_error_logging
What do you think about those headers? At least Report-To header could be useful, otherwise, the report-to attribute at CSP is useless.
undefined method
FatalThrowableError in SecureHeadersMiddleware.php line 26:
Call to undefined method Symfony\Component\HttpFoundation\BinaryFileResponse::header()
when I use this function:
/**
* Telecharge le torrent
*
* @access public
* @param string $slug Slug du torrent
* @param int $id Id du torrent
* @return file
*/
public function download($slug, $id)
{
// Find the torrent in the database
$torrent = Torrent::find($id);
if (Auth::check()) {
// Current user is the logged in user
$user = Auth::user();
// User's ratio is too low
if ($user->getRatio() < config('other.ratio') && config('other.freeleech') == false) {
return Redirect::route('torrent', ['slug' => $torrent->slug, 'id' => $torrent->id])->with(Toastr::warning('Your Ratio Is To Low To Download!!!', 'Error!', ['options']));
}
} else {
$user = null;
}
// Define the filename for the download
$tmpFileName = $torrent->slug . '.torrent';
// The torrent file exist ?
if (!file_exists(getcwd() . '/files/torrents/' . $torrent->file_name)) {
return Redirect::route('torrent', ['slug' => $torrent->slug, 'id' => $torrent->id])
->with(Toastr::warning('Torrent File Not Found! Please Report This Torrent!', 'Error!', ['options']));
} else {
// Delete the last torrent tmp file
if (file_exists(getcwd() . '/files/tmp/' . $tmpFileName)) {
unlink(getcwd() . '/files/tmp/' . $tmpFileName);
}
}
// Get the content of the torrent
$dict = Bencode::bdecode(file_get_contents(getcwd() . '/files/torrents/' . $torrent->file_name));
// Freeleech ?
if (config('other.freeleech') == true) {
// Set the announce key only
$dict['announce'] = route('announce');
} else {
if (Auth::check()) {
// Set the announce key and add the user passkey
$dict['announce'] = route('announce', ['passkey' => $user->passkey]);
// Remove Other announce url
unset($dict['announce-list']);
} else {
return redirect('/login');
}
}
$fileToDownload = Bencode::bencode($dict);
file_put_contents(getcwd() . '/files/tmp/' . $tmpFileName, $fileToDownload);
return Response::download(getcwd() . '/files/tmp/' . $tmpFileName);
}
How to setup 'script-src' on https protocol?
Hi, i've been trying to setup the 'script-src' on 'secure-headers.php' file, but i don't have some response setting up this options.
Can you help me with any information?
Thanks.
Unable to set multiple values to the frame-ancestors directive of the content-security-policy header
Hi,
I need to set the frame-ancestors directive to multiple URIs. But only this seems to work.
frame-ancestors' => [ 'self' => true, ],
I tried to add it like:
'frame-ancestors' => [ 'URI1' => true, 'URI2' => true, ],
doesnt work.
Also tried some other ways.
How can I add multiple URIs other than just specifying self?
CSP Level 3 changes - "Child-src" Deprecated, Replaced by "frame-src" that is undeprecated, and "worker-src" is added
The CSP level 3 Editors draft specifies that child-src is now deprecated. Generally these "editor drafts" are what browsers use to implement from. The following changes are important:
- Was previously deprecated, is now undeprecated
- Defers to "child-src" if not present, which in turn defers to "default-src" if not present
- Added to spec
- Defers to "script-src" if not present, which in turn defers to "default-src" if not present
- deprecated
I will research what changes are necessary and create a pull request shortly
jquery.min.js
Hi there -- I am investigating the use of secure-headers on our site but have hit a problem with regards the enabling of CSP.
We see the following:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: 'nonce-NmY3M2YwOTQ5MmQyOTEyMg==' 'nonce-MzQ5Y2RmNzhhMDdkNTRmMw==' 'nonce-MzBlMzg0YmZhN2MzNjk5Ng==' fonts.gstatic.com ajax.googleapis.com code.jquery.com googletagmanager.com google-analytics.com s3.eu-west-2.amazonaws.com cdnjs.cloudflare.com ajax.googleapis.com maxcdn.bootstrapcdn.com unpkg.com google.com cdn.jsdelivr.net gitcdn.github.io checkout.stripe.com fonts.googleapis.com code.ionicframework.com data:". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
which points to our self-hosted jquery.min.js file.
We do not face any other issues and CSP works fine for other script and styles.
Would appreciate any help or pointers.
Thanks
I need use url logo in footers website
Hi
I need use url logo in footers website :
https://logo.samandehi.ir/logo.aspx?id=125527&p=nbpdodrfujynujynodrfyndt
https://trustseal.enamad.ir/logo.aspx?id=85695&p=6hcAP0z1rV586Pk9
it is not show
What am i doing wrong?
Thanks
Feedback for last commits :)
Hi @bepsvpt, i think that documentation is really nice, is so clear.
I have a question about “feature policy”, do you implement any config for that header? or is not necessary?
Thanks a lot! :)
Rename Feature-Policy header to Permissions-Policy
According to the following link, the Feature-Policy header is now renamed to the Permissions-Policy.
https://www.w3.org/TR/permissions-policy-1/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
Since yesterday (July 20 2020) started to get errors in Console in the Chrome:
"Error with Feature-Policy header: Unrecognized feature: 'display-capture'."
Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
Hi, I have been having problems with some notifications on Firefox(Version 67.0.2) with script-src, I tried several "solucions" but none of them works for me. Could you help me with this please?
There are the messages I get:
- Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified
- Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified
- Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified
And I guess this prevent my contact form in Laravel to do the submission.
This is my current code on the secure-headers.php:
'script-src' => [
'allow' => [
$protocol.'code.jquery.com',
$protocol.'www.googletagmanager.com',
$protocol.'www.google-analytics.com',
$protocol.'www.google.com',
$protocol.'*.localhost',
],
$self' => true,
'unsafe-inline' => true,
'unsafe-eval' => true,
'data' => true,
'hashes' => [
// 'sha256' => [
// 'hash-value',
// ],
],
'nonces' => [
// 'base64-encoded',
],
'schemes' => [
'https:',
],
'self' => true,
'unsafe-inline' => true,
'unsafe-eval' => true,
'data' => true,
//'strict-dynamic' => false,
//'unsafe-hashed-attributes' => false,
// https://www.chromestatus.com/feature/5792234276388864
//'report-sample' => true,
'add-generated-nonce' => false,
],
By the way, I'm doing the tests on my localhost(http://www.localhost:8000/) I hope you can help me with this issue,
Thanks!
Add Nonce on Javascript Navigation
Hello..
How to add nonce on javascript navigation without enable 'unsafe-inline' in 'script-src' ?
Ex:
I want add nonce on 'javascript:void(0);' or similar script like that
Thanks!
Please provide better examples for csp
Please provide better examples for CSP in the documentation, if I provide anything other than:
'self' => true I the result is an empty img-src value, this is true if I provide an array as well. for example using the example from paragonie/csp-builder with:
'self' => true,
'data' => true
my resulting policy only has self, data doesn't work at all. If I try to provide a domain, the same is true.
syntax error, unexpected '?' in SecureHeaders.php
Hello, I Had installed this package and configured it well on my local machine in laravel 5.4 and it ran without any problems but when i uploaded to the server, I encountered this error .
FatalErrorException in SecureHeaders.php line 121: syntax error, unexpected '?'
It was complaining about this line of code in vendor/bepsvpt/secure-headers/src/SecureHeader.php
$csp = new CSPBuilder($this->config['csp']);
if (! ($this->config['csp']['https-transform-on-https-connections'] ?? true)) {
/* @todo wait for upstream package releasing new version */
// $csp = $csp->disableHttpsTransformOnHttpsConnections();
}
Can anyone help figure out how to fix this, please?
not able to allow socket.io
the script works well for everything except socket.io connections I use a specific port and have tried to add my domain name with the port but same error
Incorrect option header name
It tries to get the value of $this->config['x-power-by'] when it should be $this->config['x-powered-by']
See: https://github.com/bepsvpt/secure-headers/blob/master/src/SecureHeaders.php#L230
PR: #55
Thanks.
question about sha integrity approach
...
Laravel duplicates X-Content-Type-Options header
I am using secure-headers in a Laravel project and get an A when scanning the site using securityheaders.io. I do get the followign two warnings:
X-Frame-Options There was a duplicate X-Frame-Options header.
X-Content-Type-Options There was a duplicate X-Content-Type-Options header.
Laravel is adding the duplicates from Illuminate\Http\Middleware\FrameGuard.php. Is there a way to prevent this occurring?
Thanks
Laravel 9 Support
After setup for laravel, Content-Security-Policy header is not generated
I see csp is enabled in config file secure-headers.php
/*
* Content Security Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
*/
'csp' => [
'enable' => true,
But in header of my site Content-Security-Policy header is not generated
Results from https://securityheaders.com
Missing Headers
Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
How do I enable this header?
Error EvalError: for scipt
Hi
Im getting the below error in the console with the upgrade
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'
This is my script-src block in config/secure-headers.php
Can some one please let me know what should I change ?
'script-src' => [
'allow' => [
'https://cdn.jsdelivr.net', // signature pad
],
'hashes' => [
// ['sha256' => 'hash-value'],
],
'nonces' => [
//
],
'schemes' => [
// 'https:',
],
'self' => true,
'unsafe-inline' => true,
'unsafe-eval' => false,
]
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
I am continually getting below error
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Below is my file
<?php
return [
/*
* Server
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
*
* Note: when server is empty string, it will not add to response header
*/
'server' => 'Unknown',
/*
* X-Content-Type-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
*
* Available Value: 'nosniff'
*/
'x-content-type-options' => 'nosniff',
/*
* X-Download-Options
*
* Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
*
* Available Value: 'noopen'
*/
'x-download-options' => 'noopen',
/*
* X-Frame-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
*
* Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
*/
'x-frame-options' => 'sameorigin',
/*
* X-Permitted-Cross-Domain-Policies
*
* Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
*
* Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
*/
'x-permitted-cross-domain-policies' => 'none',
/*
* X-Power-By
*
* Note: it will not add to response header if the value is empty string.
*/
'x-power-by' => '',
/*
* X-XSS-Protection
*
* Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter
*
* Available Value: '1', '0', '1; mode=block'
*/
'x-xss-protection' => '1; mode=block',
/*
* Referrer-Policy
*
* Reference: https://w3c.github.io/webappsec-referrer-policy
*
* Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
* 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
*/
'referrer-policy' => 'no-referrer',
/*
* Clear-Site-Data
*
* Reference: https://w3c.github.io/webappsec-clear-site-data/
*/
'clear-site-data' => [
'enable' => false,
'all' => false,
'cache' => true,
'cookies' => true,
'storage' => true,
'executionContexts' => true,
],
/*
* HTTP Strict Transport Security
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
*
* Please ensure your website had set up ssl/tls before enable hsts.
*/
'hsts' => [
'enable' => true,
'max-age' => 15552000,
'include-sub-domains' => true,
'preload' => false,
],
/*
* Expect-CT
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
*/
'expect-ct' => [
'enable' => false,
'max-age' => 2147483648,
'enforce' => false,
'report-uri' => null,
],
/*
* Public Key Pinning
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
*
* hpkp will be ignored if hashes is empty.
*/
'hpkp' => [
'hashes' => [
// 'sha256-hash-value',
],
'include-sub-domains' => false,
'max-age' => 15552000,
'report-only' => false,
'report-uri' => null,
],
/*
* Feature Policy
*
* Reference: https://wicg.github.io/feature-policy/
*/
'feature-policy' => [
'enable' => true,
/*
* Each directive details can be found on:
*
* https://github.com/WICG/feature-policy/blob/master/features.md
*
* 'none', '*' and 'self allow' are mutually exclusive,
* the priority is 'none' > '*' > 'self allow'.
*/
'accelerometer' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'ambient-light-sensor' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'autoplay' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'camera' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'display-capture' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'document-domain' => [
'none' => false,
'*' => true,
'self' => false,
'src' => false,
'allow' => [
// 'url',
],
],
'encrypted-media' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'fullscreen' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'geolocation' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'gyroscope' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'magnetometer' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'microphone' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'midi' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'payment' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'picture-in-picture' => [
'none' => false,
'*' => true,
'self' => false,
'src' => false,
'allow' => [
// 'url',
],
],
'speaker' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'sync-xhr' => [
'none' => false,
'*' => true,
'self' => false,
'src' => false,
'allow' => [
// 'url',
],
],
'usb' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'vr' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
],
/*
* Content Security Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
*
* csp will be ignored if custom-csp is not null. To disable csp, set custom-csp to empty string.
*
* Note: custom-csp does not support report-only.
*/
'custom-csp' => null,
'csp' => [
'report-only' => false,
'report-uri' => null,
'block-all-mixed-content' => false,
'upgrade-insecure-requests' => true,
/*
* Please references script-src directive for available values, only `script-src` and `style-src`
* supports `add-generated-nonce`.
*
* Note: when directive value is empty, it will use `none` for that directive.
*/
'script-src' => [
'allow' => [
'https://www.google.com/recaptcha/api.js',
'https://cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js',
'https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/jquery.validate.js',
'https://maps.googleapis.com/maps-api-v3/api/js/39/10/common.js',
'https://maps.googleapis.com/maps-api-v3/api/js/39/10/util.js',
'https://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.0/TweenMax.min.js',
'https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/additional-methods.js',
'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/ScrollMagic.min.js',
'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.min.js',
'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/debug.addIndicators.min.js',
'https://connect.facebook.net/en_US/fbevents.js',
],
'hashes' => [
// 'sha256' => [
// 'hash-value',
// ],
],
'nonces' => [
// 'base64-encoded',
],
'schemes' => [
'https:',
],
'self' => true,
'unsafe-inline' => true,
'unsafe-eval' => true,
'strict-dynamic' => false,
'unsafe-hashed-attributes' => false,
// https://www.chromestatus.com/feature/5792234276388864
// 'report-sample' => true,
'add-generated-nonce' => true,
],
'style-src' => [
'allow' => [
'https://fonts.googleapis.com/',
'https://fonts.googleapis.com/css?family=Biryani:200,300,400,500,600,700',
'https://cdnjs.cloudflare.com/ajax/libs/bootstrap-datetimepicker/4.15.35/css/bootstrap-datetimepicker.min.css',
],
'hashes' => [
// 'sha256' => [
// 'hash-value',
// ],
],
'nonces' => [
//
],
'schemes' => [
// 'https:',
],
'self' => true,
'unsafe-inline' => true,
// https://www.chromestatus.com/feature/5792234276388864
// 'report-sample' => true,
'add-generated-nonce' => false,
],
'img-src' => [
'allow' => [
//
],
'schemes' => [
'data:',
'https:',
],
'self' => true,
'data' => true,
],
'default-src' => [
'none',
],
'base-uri' => [
//
],
'connect-src' => [
'allow' => [
'https://' . parse_url(env('APP_URL'), PHP_URL_HOST) . ':8443/socket.io/',
'wss://' . parse_url(env('APP_URL'), PHP_URL_HOST) . ':8443/socket.io/',
],
'self' => true,
],
'font-src' => [
'schemes' => [
'data:',
'https:',
],
'self' => true,
'data' => true,
],
'form-action' => [
'self' => true,
],
'frame-ancestors' => [
//
],
'frame-src' => [
'schemes' => [
'https:',
],
'self' => true,
],
'media-src' => [
'allow' => [
//
],
'self' => true,
],
'object-src' => [
//
],
'worker-src' => [
//
],
'plugin-types' => [
// 'application/x-shockwave-flash',
],
'require-sri-for' => '',
'sandbox' => '',
],
];
Problem with middleware SecureHeadersMiddleware.php
Sometimes I have the next error in log file
Trying to get property of non-object in /public_html/vendor/bepsvpt/secure-headers/src/SecureHeadersMiddleware.php:26
I think variable $response has not property headers and it born an exception
Support SharedArrayBuffer updates in Chrome around May 2021
Got a warning in Chrome:
"[Deprecation] SharedArrayBuffer will require cross-origin isolation as of M91, around May 2021. See https://developer.chrome.com/blog/enabling-shared-array-buffer/ for more details."
Not found in the package any mentions of the headers that they are talking about:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
securityheaders.com still show Big red F
Hello All,
1.I have configured as per laravel project and security headers comes in first request of website but all other request like loading js and css that does not have configred security headers.
2.Also securityheaders.com still show Big red F for my website (https://workversatile.com)
Can anyone help me ?
Support for blob:
Hi,
Is there support for blob: with this package? I am currently using it and I am getting the following error:
Refused to load media from 'blob:https://xxxxxxxx.ngrok.io/31d4ff8f-d69e-48ec-b504-ac8c3cab5909' because it violates the following Content Security Policy directive: "media-src http://*.ngrok.io data:".
Is there way I can have this fixed?
Thanks
When handling a StreamedResponse, it fails on the missing method header()
This happens when streaming a file to the browser, for example. The header() method is not available on that request type.
Call to undefined method Symfony\Component\HttpFoundation\StreamedResponse::header()
X-Powered-By Attack
Hackers can exploit known vulnerabilities in Express and Node if they know you’re using it. Express (and other web technologies like PHP) set an X-Powered-By header with every request, indicating what technology powers the server. PHP , for example, sets this, which is a dead giveaway that your server is powered by PHP.
Is it possible to add a option in this package config to enable/disable adding this header?
header_remove("X-Powered-By");
The right way to config
Hi
I'm new in Laravel and I have some questions about your package.
I added
\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,
to $middlewarePriority in Kernel.php
Is that right?
And what should I write in secure-headers.php?
And how can I be sure that I configured it in the right way?
I'm using Laravel 5.8.
Thanks in advanced.
Working with default settings.
Hey guys,
I have a isue with the secure hearders. I installed it true composer, no problems there. But now it's so secure, i can't even see my bootstrap layout. Should it work on default or i'am missing something? Thanks in advance.
Eliminate Laravel dependency for non-Laravel users
Kudos on a lightweight and well-organized package for handling all the security headers! This is just what I was looking for.
However this package has only one downside: installing it will install illuminate/support into my project, but I don't need that since I'm not running Laravel.
Could the following be moved to a separate package:
- src/SecureHeadersMiddleware.php
- src/SecureHeadersServiceProvider.php
- tests/SecureHeadersTest.php
- illuminate/support dependency
- Laravel-specific documentation
This change would make this package more attractive to non-Laravel users and lower maintenance since no dependencies means no dependencies to update down the road.
If that isn't an option or desirable, moving illuminate/support from require to suggest would help.
img issues
Hello and thanks for the great package. Maybe I'm doing this wrong but imgs I have whitelisted are not showing up.
[Error] Refused to load http://7.t.imgbox.com/nzEqZ9bY.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://5.t.imgbox.com/fqffnT8Y.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://7.t.imgbox.com/nzEqZ9bY.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://5.t.imgbox.com/fqffnT8Y.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://6.t.imgbox.com/ecBXXVws.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://9.t.imgbox.com/pdHrSRyL.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://0.t.imgbox.com/uxFAAuEd.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://6.t.imgbox.com/4ZFjwTBc.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://3.t.imgbox.com/e0a7Dyf8.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://2.t.imgbox.com/43n4c49A.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://assets.fanart.tv/fanart/movies/269149/moviebackground/zootopia-56b0a4adcd559.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://assets.fanart.tv/fanart/movies/269149/movieposter/zootopia-573f3f2c6d6ee.jpg because it does not appear in the img-src directive of the Content Security Policy.
This is my CSP config
secure-headers.php
<?php
return [
/*
* X-Content-Type-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
*
* Available Value: 'nosniff'
*/
'x-content-type-options' => 'nosniff',
/*
* X-Download-Options
*
* Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
*
* Available Value: 'noopen'
*/
'x-download-options' => 'noopen',
/*
* X-Frame-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
*
* Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
*/
'x-frame-options' => 'sameorigin',
/*
* X-Permitted-Cross-Domain-Policies
*
* Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
*
* Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
*/
'x-permitted-cross-domain-policies' => 'none',
/*
* X-XSS-Protection
*
* Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter
*
* Available Value: '1', '0', '1; mode=block'
*/
'x-xss-protection' => '1; mode=block',
/*
* Referrer-Policy
*
* Reference: https://w3c.github.io/webappsec-referrer-policy
*
* Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
* 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
*/
'referrer-policy' => 'strict-origin-when-cross-origin',
/*
* HTTP Strict Transport Security
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
*
* Please ensure your website had set up ssl/tls before enable hsts.
*/
'hsts' => [
'enable' => true,
'max-age' => 15552000,
'include-sub-domains' => false,
],
/*
* Public Key Pinning
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
*
* hpkp will be ignored if hashes is empty.
*/
'hpkp' => [
'hashes' => [
// [
// 'algo' => 'sha256',
// 'hash' => 'hash-value',
// ],
],
'include-sub-domains' => false,
'max-age' => 15552000,
'report-only' => false,
'report-uri' => null,
],
/*
* Content Security Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
*
* csp will be ignored if custom-csp is not null. To disable csp, set custom-csp to empty string.
*
* Note: custom-csp does not support report-only.
*/
'custom-csp' => null,
'csp' => [
'report-only' => false,
'report-uri' => null,
'upgrade-insecure-requests' => false,
'base-uri' => [
//
],
'default-src' => [
'self' => true,
],
'child-src' => [
//
],
'script-src' => [
'allow' => [
'cdnjs.cloudflare.com',
'cdn.bootcss.com',
'cdn.datatables.net',
'ajax.googleapis.com',
'maxcdn.bootstrapcdn.com',
],
'hashes' => [
// ['sha256' => 'hash-value'],
],
'nonces' => [
//
],
'self' => true,
'unsafe-inline' => true,
'unsafe-eval' => false,
],
'style-src' => [
'allow' => [
'cdn.bootcss.com',
'fonts.googleapis.com',
'cdn.rawgit.com',
'maxcdn.bootstrapcdn.com',
'cdnjs.cloudflare.com',
'ajax.googleapis.com',
],
'self' => true,
'unsafe-inline' => true,
],
'img-src' => [
'allow' => [
'*.imgur.com',
'*.imgbox.com',
'assets.fanart.tv',
],
'types' => [
'gif',
'png',
],
'self' => true,
'data' => true,
],
/*
* The following directives are all use 'allow' and 'self' flag.
*
* Note: default value of 'self' flag is false.
*/
'font-src' => [
'allow' => [
'fonts.googleapis.com',
'fonts.gstatic.com',
'cdn.rawgit.com',
'maxcdn.bootstrapcdn.com',
],
'self' => true,
],
'connect-src' => [
'allow' => [
'www.omdbapi.com',
],
'self' => true,
],
'form-action' => [
'self' => true,
],
'frame-ancestors' => [
'self' => true,
],
'media-src' => [
'self' => true,
],
'object-src' => [
'self' => true,
],
/*
* plugin-types only support 'allow'.
*/
'plugin-types' => [
//
],
],
];
Consider reverting JSON config to PHP
Thanks for making this awesome open source library!
I'm in the process of upgrading an app to Laravel 5.3 and version 2.0.0 of laravel-security-header. We've run into issues because we were using conditional logic (based on APP_ENV) to generate distinct CSP directives and enable different features for development vs. production environments. Now that the config is in a JSON file, it's become much more difficult to conditionally define rulesets as we were previously. I believe Laravel packages traditionally use PHP config files for this reason. Would you consider reverting to a PHP config?
CSP missing after latest release
Not sure if something changed under the hood for this, but the CSP on a site of mine is no longer recognized, even though I've still got the CSP set to an empty string. Any idea on that?
Just running the sites through https://securityheaders.com/ to verify this.
Image data: Question
Im getting a lot of the following.
My Config is so:
'img-src' => [
'schemes' => [
'data:',
'https:',
],
'self' => true,
'data' => true,
],
How can I allow all these?
Get Error parsing header in Chrome Console
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.