bepsvpt / secure-headers Goto Github PK
View Code? Open in Web Editor NEWPHP Secure Headers
License: MIT License
PHP Secure Headers
License: MIT License
Love the package, great work on it.
Could you look into adding support for the new security header: Feature Policy
?
Details on what it entails can be found here.
I think that the header is X-Powered-By
instead of X-Power-By
When i add the global middleware \Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,
in my app/http/kernel.php
, whenever a validation fails in a form it redirects back to '/' route instead of back to the form with errors. or whenever i call redirect()->back()
method it redirects to the default route '/' .
This only happens with the global middleware set.
Hey 👋 I'm getting the following error on Chrome. Is display-capture a valid policy?
Error with Feature-Policy header: Unrecognized feature: 'display-capture'.
My secure-headers.php has the following rules for img-src:
'img-src' => [
'allow' => [
env('APP_URL') . '/',
],
'types' => [
//
],
'self' => true,
'data' => true,
],
However when I try to upload an image via a form as soon as the image is dropped on to the input I get the following error:
Refused to load the image 'data:image/jpeg;base64,/9j/4aI5RXhpZgAASUkqAA....//Z' because it violates the following Content Security Policy directive: "img-src 'self' http://localhost:3000/".
It appears that 'data' => true is being ignored.
In Laravel config/secure-headers.php
/*
* X-Powered-By
*
* Note: it will not add to response header if the value is empty string.
*/
'x-powered-by' => '',
But in header it shows
If I change the value:
'x-powered-by' => config('app.name'),
Header shows:
And if I change the config to
'x-powered-by' => [
'enable' => false,
],
Now it shows:
I just want to hide/remove it completely or just show one line with set value in config file, could you please let me know how to do that?
Getting error loading data:image.
FileList {0: File(805286), length: 1}
edit:1 Refused to load the image 'data:image/jpeg;base64,/9j/4T+DRXhpZk=' because it violates the following Content Security Policy directive: "img-src 'self' http://ajax.googleapis.com http://cdnjs.cloudflare.com http://*.tawk.to http://code.jquery.com".
'img-src' => [ 'allow' => [ $protocol . 'ajax.googleapis.com', $protocol . 'cdnjs.cloudflare.com', $protocol . '*.tawk.to', $protocol . 'code.jquery.com', ], 'self' => true, 'data' => true, ],
What am i doing wrong?
Thanks
Since I added this package middleware to my kernel.php
my website return error 500 and even turning debug mode to true in .env
file it does not show what the error is. But if I comment the middleware my site runs as usual without issue.
Config file
<?php
$protocol = 'https://';
if (! isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] == 'off') {
$protocol = 'http://';
}
return [
/*
* Server
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
*
* Note: when server is empty string, it will not add to response header
*/
'server' => '',
/*
* X-Content-Type-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
*
* Available Value: 'nosniff'
*/
'x-content-type-options' => 'nosniff',
/*
* X-Download-Options
*
* Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
*
* Available Value: 'noopen'
*/
'x-download-options' => 'noopen',
/*
* X-Frame-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
*
* Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
*/
'x-frame-options' => 'sameorigin',
/*
* X-Permitted-Cross-Domain-Policies
*
* Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
*
* Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
*/
'x-permitted-cross-domain-policies' => 'none',
/*
* X-Powered-By
*
* Note: it will not add to response header if the value is empty string.
*/
'x-powered-by' => '',
/*
* X-XSS-Protection
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
*
* Available Value: '1', '0', '1; mode=block'
*/
'x-xss-protection' => '1; mode=block',
/*
* Referrer-Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
*
* Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
* 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
*/
'referrer-policy' => 'no-referrer',
/*
* Clear-Site-Data
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
*/
'clear-site-data' => [
'enable' => false,
'all' => false,
'cache' => true,
'cookies' => true,
'storage' => true,
'executionContexts' => true,
],
/*
* HTTP Strict Transport Security
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
*
* Please ensure your website had set up ssl/tls before enable hsts.
*/
'hsts' => [
'enable' => true,
'max-age' => 31536000,
'include-sub-domains' => true,
'preload' => false,
],
/*
* Expect-CT
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
*/
'expect-ct' => [
'enable' => false,
'max-age' => 2147483648,
'enforce' => false,
// report uri must be absolute-URI
'report-uri' => null,
],
/*
* Permissions Policy
*
* Reference: https://w3c.github.io/webappsec-permissions-policy/
*/
'permissions-policy' => [
'enable' => true,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/accelerometer
'accelerometer' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/ambient-light-sensor
'ambient-light-sensor' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/autoplay
'autoplay' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/battery
'battery' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/camera
'camera' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://www.chromestatus.com/feature/5690888397258752
// 'cross-origin-isolated' => [
// 'none' => false,
// '*' => false,
// 'self' => true,
// 'origins' => [],
// ],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/display-capture
'display-capture' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/document-domain
'document-domain' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/encrypted-media
'encrypted-media' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://wicg.github.io/page-lifecycle/#execution-while-not-rendered
'execution-while-not-rendered' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://wicg.github.io/page-lifecycle/#execution-while-out-of-viewport
'execution-while-out-of-viewport' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/fullscreen
'fullscreen' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/geolocation
'geolocation' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/gyroscope
'gyroscope' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/magnetometer
'magnetometer' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/microphone
'microphone' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/midi
'midi' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://drafts.csswg.org/css-nav-1/
'navigation-override' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/payment
'payment' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/picture-in-picture
'picture-in-picture' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials-get
'publickey-credentials-get' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/screen-wake-lock
'screen-wake-lock' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/sync-xhr
'sync-xhr' => [
'none' => false,
'*' => true,
'self' => false,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/usb
'usb' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/web-share
'web-share' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking
'xr-spatial-tracking' => [
'none' => false,
'*' => false,
'self' => true,
'origins' => [],
],
],
/*
* Content Security Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
*/
'csp' => [
'enable' => true,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
'report-only' => false,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
'report-to' => '',
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri
'report-uri' => [
// uri
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
'block-all-mixed-content' => false,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
'upgrade-insecure-requests' => false,
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
'base-uri' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src
'child-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
'connect-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
'default-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src
'font-src' => [
'allow' => [
$protocol.'fonts.gstatic.com',
],
'self' => true,
'data' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action
'form-action' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
'frame-ancestors' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
'frame-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
'img-src' => [
'allow' => [
$protocol.'www.google-analytics.com',
],
'self' => true,
'data' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src
'manifest-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
'media-src' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to
'navigate-to' => [
'unsafe-allow-redirects' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
'object-src' => [
'allow' => [],
'self' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/plugin-types
'plugin-types' => [
// 'application/pdf',
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src
'prefetch-src' => [
//
],
// https://w3c.github.io/webappsec-trusted-types/dist/spec/#integration-with-content-security-policy
'require-trusted-types-for' => [
'script' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
'sandbox' => [
'enable' => false,
'allow-downloads-without-user-activation' => false,
'allow-forms' => false,
'allow-modals' => false,
'allow-orientation-lock' => false,
'allow-pointer-lock' => false,
'allow-popups' => false,
'allow-popups-to-escape-sandbox' => false,
'allow-presentation' => false,
'allow-same-origin' => false,
'allow-scripts' => false,
'allow-storage-access-by-user-activation' => false,
'allow-top-navigation' => false,
'allow-top-navigation-by-user-activation' => false,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
'script-src' => [
'none' => false,
'self' => true,
'report-sample' => false,
'allow' => [
// 'url',
$protocol.'ajax.googleapis.com',
$protocol.'code.jquery.com',
$protocol.'www.googletagmanager.com',
$protocol.'www.google-analytics.com',
],
'schemes' => [
// 'data:',
// 'https:',
],
/* followings are only work for `script` and `style` related directives */
'unsafe-inline' => true,
'unsafe-eval' => true,
// https://www.w3.org/TR/CSP3/#unsafe-hashes-usage
'unsafe-hashes' => false,
// Enable `strict-dynamic` will *ignore* `self`, `unsafe-inline`,
// `allow` and `schemes`. You can find more information from:
// https://www.w3.org/TR/CSP3/#strict-dynamic-usage
'strict-dynamic' => false,
'hashes' => [
'sha256' => [
// 'sha256-hash-value-with-base64-encode',
],
'sha384' => [
// 'sha384-hash-value-with-base64-encode',
],
'sha512' => [
// 'sha512-hash-value-with-base64-encode',
],
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr
'script-src-attr' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem
'script-src-elem' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
'style-src' => [
'allow' => [
$protocol.'fonts.googleapis.com',
],
'self' => true,
'unsafe-inline' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr
'style-src-attr' => [
//
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem
'style-src-elem' => [
//
],
// https://w3c.github.io/webappsec-trusted-types/dist/spec/#trusted-types-csp-directive
'trusted-types' => [
'enable' => false,
'allow-duplicates' => false,
'default' => false,
'policies' => [
//
],
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src
'worker-src' => [
//
],
],
];
Any idea why?
Hi
Can you add CSP Report To option ?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to
Great package... in fact, too good.
I have an Outlook Addin that's served from my Laravel web app. It's a single page, but it requires users to be logged in, otherwise I'd host it outside of Laravel.
As soon as CSP is enabled, the Outlook Addin stops working and finding the cause is proving to be a nightmare.
Would it be possible to add a route whitelist so secure headers can be disabled for specific routes?
Hi @bepsvpt, i have another trouble, how can i add a "nonce" key and add it to script an style tags?
I want to fix Content Security Policy on my Laravel App.
Hi,
Can you please tag this and https://github.com/BePsvPT/csp-builder after my PRs merge?
Also increase the composer.json line that refers to csp-builder.
I do not why but it looks like default-src is not adding the values on "allow" position to the 'self' value, will try to give you more info after solve the prefecth problem we are having.
Thanks!
Laravel
while form submits goes to request file app/Http/Requests/...
. but return back to an unknown location.
When running unit tests nonces will be automatically created if applicable. However, the nonces are not cleared between tests. If you have many unit tests this will impact testing performance and resources.
Add the following test (that will fail deliberately) to your application that contains many tests:
public function test_security_headers_just_fail()
{
$headers = $this->get(route('/'))->headers;
$this->assertStringContainsString("justfail", $headers->get('content-security-policy'));
}
You will see something similar to:
PHPUnit 8.5.1 by Sebastian Bergmann and contributors.
............................................................... 63 / 611 ( 10%)
............................................................... 126 / 611 ( 20%)
............................................................... 189 / 611 ( 30%)
............................................................... 252 / 611 ( 41%)
...........F................................................... 315 / 611 ( 51%)
............................................................... 378 / 611 ( 61%)
............................................................... 441 / 611 ( 72%)
............................................................... 504 / 611 ( 82%)
............................................................... 567 / 611 ( 92%)
........................I................... 611 / 611 (100%)
Time: 14.39 minutes, Memory: 184.50 MB
There was 1 failure:
1) Tests\Feature\SecurityHeadersTest::test_security_headers_just_fail
Failed asserting that 'base-uri 'self'; object-src 'none'; script-src 'unsafe-inline' 'nonce-NzY1Mjc5M2EwZGNkNzdlYQ==' 'nonce-ZDc4ODcxYTc0MDIyM2I5Nw==' 'nonce-ZTlmZmE4NjA0MWNjNTMwNw==' 'nonce-ZjRkNGFkNGQ5OTk0NjQ0Yw==' 'nonce-NDE2ZDAyYjcwN2ZiMjE5Yg==' 'nonce-MGQzYmRjNzM2NTUxMDQyMg==' 'nonce-ZTllYWU1NTZkN2U5MTE4Mw==' 'nonce-ZWIzNWExMjc5ZDE0NTAzYQ==' 'nonce-MDU3YzA5ZTU0NDJlODI4MQ==' 'nonce-NzMwOGY1MzllNjVkNTA1Mw==' 'nonce-ZTRiYTQyMTEwMmQwNjUxZQ==' 'nonce-YmE0Nzk5MzA2ZTllZTg3NA==' 'nonce-ZGJlNzQ2YTRjMGFlZTM4NQ==' 'nonce-M2I5NDQ4MTU5NTExNDgwMg==' 'nonce-MDA1YzJlNzc4ZDYxMWYxYg==' 'nonce-OTM2ZGVlNTQ4ZGQ5OTk1OQ==' 'nonce-MTEyZjRkMGYxOTFmNzI0ZQ==' 'nonce-ZTFiMmQ5NWI3Mzc1YjU3Yg==' 'nonce-OGZhZTI1MDFiNDAxMDJhMQ==' 'nonce-ZGM0ZTNhMWI2MDU4MTViYw==' 'nonce-MjRjMThlNTNkYzBhMTE1Yw==' 'nonce-ODE0MjMxMDU1YTVkMTlkZg==' 'nonce-NTQ3YjRkMTU5ZDM0OTJiYQ==' 'nonce-ZjE2ZWUyYTNmMjkyY2NlNA==' 'nonce-ZjY3MzhiZGQxODQxODY1Mg==' 'nonce-YWUzZWUxY2NhMmIyNzA4Nw==' 'nonce-MjY0MDAxMzM0ODUyYzJjMw==' 'nonce-NTQzM2MxOWYxMTIzMDJlZQ==' 'nonce-Yjg3MTY1Mzg3NWEwZGVjYg==' 'nonce-YjE5ZmUxZTAyZDA3NTU3YQ==' 'nonce-MTVhMjVkODc3MDQ4YTZiOA==' 'nonce-ZWUxZmY5YTJhM2RmNWNiYw==' 'nonce-MjE3ODYxZDE3NWEzMTdiMA==' 'nonce-Mjc1OGQ1NDExMTJmMzc5ZQ==' 'nonce-OWNjNzM1Zjk4YWNlMDU5ZQ==' 'nonce-N2NlZmFjZDNmMTUxNDVhNw==' 'nonce-N2FhMzgxNTExYmViNDhiNQ==' 'nonce-ZTljYTE5NjY5Y2Q4YWFkZg==' 'nonce-M2UxNDY5M2Y0NzcxZjE5Mg==' 'nonce-OTUyZDY2OGZkYjkxMGRjYQ==' 'nonce-MDIwYmRiY2YzYjA3OTZhMA==' 'nonce-ZTNhOTRkYzFiMTk4YzVlZg==' 'nonce-MDE3MzM1Zjc0OThmMDc4ZQ==' 'nonce-ZGE5YTY3NGNkOTQ3ZWNkYg==' 'nonce-MzNiZjBjYmU2Zjk5ODhkZQ==' 'nonce-N2IxYmRkOTlhYTBkODI0OA==' 'nonce-ODY2MTQ1NTBkZGNjNzljMQ=='
<...SNIP MANY MANY MORE NONCES HERE...>
/builds/example/example_app/tests/Feature/SecurityHeadersTest.php:16
FAILURES!
Tests: 611, Assertions: 3072, Failures: 1, Incomplete: 1.
You already support the report-to
attribute at CSP. However, this attribute accepts key from Report-To
header like shown in this site in examples: developer.mozilla.org.
What do you think about adding the possibility to set the Report-To
standalone header as well? It can report more issues with your site, see https://docs.report-uri.com/setup/reporting-api/.
And maybe add NEL Header too? This is not really security header but can help with debugging bad HTTPS certificate etc https://report-uri.com/products/network_error_logging
What do you think about those headers? At least Report-To header could be useful, otherwise, the report-to
attribute at CSP is useless.
FatalThrowableError in SecureHeadersMiddleware.php line 26:
Call to undefined method Symfony\Component\HttpFoundation\BinaryFileResponse::header()
when I use this function:
/**
* Telecharge le torrent
*
* @access public
* @param string $slug Slug du torrent
* @param int $id Id du torrent
* @return file
*/
public function download($slug, $id)
{
// Find the torrent in the database
$torrent = Torrent::find($id);
if (Auth::check()) {
// Current user is the logged in user
$user = Auth::user();
// User's ratio is too low
if ($user->getRatio() < config('other.ratio') && config('other.freeleech') == false) {
return Redirect::route('torrent', ['slug' => $torrent->slug, 'id' => $torrent->id])->with(Toastr::warning('Your Ratio Is To Low To Download!!!', 'Error!', ['options']));
}
} else {
$user = null;
}
// Define the filename for the download
$tmpFileName = $torrent->slug . '.torrent';
// The torrent file exist ?
if (!file_exists(getcwd() . '/files/torrents/' . $torrent->file_name)) {
return Redirect::route('torrent', ['slug' => $torrent->slug, 'id' => $torrent->id])
->with(Toastr::warning('Torrent File Not Found! Please Report This Torrent!', 'Error!', ['options']));
} else {
// Delete the last torrent tmp file
if (file_exists(getcwd() . '/files/tmp/' . $tmpFileName)) {
unlink(getcwd() . '/files/tmp/' . $tmpFileName);
}
}
// Get the content of the torrent
$dict = Bencode::bdecode(file_get_contents(getcwd() . '/files/torrents/' . $torrent->file_name));
// Freeleech ?
if (config('other.freeleech') == true) {
// Set the announce key only
$dict['announce'] = route('announce');
} else {
if (Auth::check()) {
// Set the announce key and add the user passkey
$dict['announce'] = route('announce', ['passkey' => $user->passkey]);
// Remove Other announce url
unset($dict['announce-list']);
} else {
return redirect('/login');
}
}
$fileToDownload = Bencode::bencode($dict);
file_put_contents(getcwd() . '/files/tmp/' . $tmpFileName, $fileToDownload);
return Response::download(getcwd() . '/files/tmp/' . $tmpFileName);
}
Hi, i've been trying to setup the 'script-src' on 'secure-headers.php' file, but i don't have some response setting up this options.
Can you help me with any information?
Thanks.
Hi,
I need to set the frame-ancestors directive to multiple URIs. But only this seems to work.
frame-ancestors' => [ 'self' => true, ],
I tried to add it like:
'frame-ancestors' => [ 'URI1' => true, 'URI2' => true, ],
doesnt work.
Also tried some other ways.
How can I add multiple URIs other than just specifying self
?
The CSP level 3 Editors draft specifies that child-src is now deprecated. Generally these "editor drafts" are what browsers use to implement from. The following changes are important:
I will research what changes are necessary and create a pull request shortly
Hi there -- I am investigating the use of secure-headers on our site but have hit a problem with regards the enabling of CSP.
We see the following:
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: 'nonce-NmY3M2YwOTQ5MmQyOTEyMg==' 'nonce-MzQ5Y2RmNzhhMDdkNTRmMw==' 'nonce-MzBlMzg0YmZhN2MzNjk5Ng==' fonts.gstatic.com ajax.googleapis.com code.jquery.com googletagmanager.com google-analytics.com s3.eu-west-2.amazonaws.com cdnjs.cloudflare.com ajax.googleapis.com maxcdn.bootstrapcdn.com unpkg.com google.com cdn.jsdelivr.net gitcdn.github.io checkout.stripe.com fonts.googleapis.com code.ionicframework.com data:". Note that 'unsafe-inline' is ignored if either a hash or nonce value is present in the source list.
which points to our self-hosted jquery.min.js file.
We do not face any other issues and CSP works fine for other script and styles.
Would appreciate any help or pointers.
Thanks
Hi
I need use url logo in footers website :
https://logo.samandehi.ir/logo.aspx?id=125527&p=nbpdodrfujynujynodrfyndt
https://trustseal.enamad.ir/logo.aspx?id=85695&p=6hcAP0z1rV586Pk9
it is not show
What am i doing wrong?
Thanks
Hi @bepsvpt, i think that documentation is really nice, is so clear.
I have a question about “feature policy”, do you implement any config for that header? or is not necessary?
Thanks a lot! :)
According to the following link, the Feature-Policy header is now renamed to the Permissions-Policy.
https://www.w3.org/TR/permissions-policy-1/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
Since yesterday (July 20 2020) started to get errors in Console in the Chrome:
"Error with Feature-Policy header: Unrecognized feature: 'display-capture'."
Hi, I have been having problems with some notifications on Firefox(Version 67.0.2) with script-src, I tried several "solucions" but none of them works for me. Could you help me with this please?
There are the messages I get:
And I guess this prevent my contact form in Laravel to do the submission.
This is my current code on the secure-headers.php:
'script-src' => [
'allow' => [
$protocol.'code.jquery.com',
$protocol.'www.googletagmanager.com',
$protocol.'www.google-analytics.com',
$protocol.'www.google.com',
$protocol.'*.localhost',
],
$self' => true,
'unsafe-inline' => true,
'unsafe-eval' => true,
'data' => true,
'hashes' => [
// 'sha256' => [
// 'hash-value',
// ],
],
'nonces' => [
// 'base64-encoded',
],
'schemes' => [
'https:',
],
'self' => true,
'unsafe-inline' => true,
'unsafe-eval' => true,
'data' => true,
//'strict-dynamic' => false,
//'unsafe-hashed-attributes' => false,
// https://www.chromestatus.com/feature/5792234276388864
//'report-sample' => true,
'add-generated-nonce' => false,
],
By the way, I'm doing the tests on my localhost(http://www.localhost:8000/) I hope you can help me with this issue,
Thanks!
Hello..
How to add nonce on javascript navigation without enable 'unsafe-inline' in 'script-src' ?
Ex:
I want add nonce on 'javascript:void(0);' or similar script like that
Thanks!
Please provide better examples for CSP in the documentation, if I provide anything other than:
'self' => true I the result is an empty img-src value, this is true if I provide an array as well. for example using the example from paragonie/csp-builder with:
'self' => true,
'data' => true
my resulting policy only has self, data doesn't work at all. If I try to provide a domain, the same is true.
Hello, I Had installed this package and configured it well on my local machine in laravel 5.4 and it ran without any problems but when i uploaded to the server, I encountered this error .
FatalErrorException in SecureHeaders.php line 121: syntax error, unexpected '?'
It was complaining about this line of code in vendor/bepsvpt/secure-headers/src/SecureHeader.php
$csp = new CSPBuilder($this->config['csp']);
if (! ($this->config['csp']['https-transform-on-https-connections'] ?? true)) {
/* @todo wait for upstream package releasing new version */
// $csp = $csp->disableHttpsTransformOnHttpsConnections();
}
Can anyone help figure out how to fix this, please?
the script works well for everything except socket.io connections I use a specific port and have tried to add my domain name with the port but same error
It tries to get the value of $this->config['x-power-by'] when it should be $this->config['x-powered-by']
See: https://github.com/bepsvpt/secure-headers/blob/master/src/SecureHeaders.php#L230
PR: #55
Thanks.
...
I am using secure-headers in a Laravel project and get an A when scanning the site using securityheaders.io. I do get the followign two warnings:
X-Frame-Options There was a duplicate X-Frame-Options header.
X-Content-Type-Options There was a duplicate X-Content-Type-Options header.
Laravel is adding the duplicates from Illuminate\Http\Middleware\FrameGuard.php. Is there a way to prevent this occurring?
Thanks
I see csp is enabled in config file secure-headers.php
/*
* Content Security Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
*/
'csp' => [
'enable' => true,
But in header of my site Content-Security-Policy header is not generated
Results from https://securityheaders.com
Missing Headers
Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
How do I enable this header?
Hi
Im getting the below error in the console with the upgrade
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'
This is my script-src block in config/secure-headers.php
Can some one please let me know what should I change ?
'script-src' => [
'allow' => [
'https://cdn.jsdelivr.net', // signature pad
],
'hashes' => [
// ['sha256' => 'hash-value'],
],
'nonces' => [
//
],
'schemes' => [
// 'https:',
],
'self' => true,
'unsafe-inline' => true,
'unsafe-eval' => false,
]
I am continually getting below error
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
Below is my file
<?php
return [
/*
* Server
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
*
* Note: when server is empty string, it will not add to response header
*/
'server' => 'Unknown',
/*
* X-Content-Type-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
*
* Available Value: 'nosniff'
*/
'x-content-type-options' => 'nosniff',
/*
* X-Download-Options
*
* Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
*
* Available Value: 'noopen'
*/
'x-download-options' => 'noopen',
/*
* X-Frame-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
*
* Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
*/
'x-frame-options' => 'sameorigin',
/*
* X-Permitted-Cross-Domain-Policies
*
* Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
*
* Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
*/
'x-permitted-cross-domain-policies' => 'none',
/*
* X-Power-By
*
* Note: it will not add to response header if the value is empty string.
*/
'x-power-by' => '',
/*
* X-XSS-Protection
*
* Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter
*
* Available Value: '1', '0', '1; mode=block'
*/
'x-xss-protection' => '1; mode=block',
/*
* Referrer-Policy
*
* Reference: https://w3c.github.io/webappsec-referrer-policy
*
* Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
* 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
*/
'referrer-policy' => 'no-referrer',
/*
* Clear-Site-Data
*
* Reference: https://w3c.github.io/webappsec-clear-site-data/
*/
'clear-site-data' => [
'enable' => false,
'all' => false,
'cache' => true,
'cookies' => true,
'storage' => true,
'executionContexts' => true,
],
/*
* HTTP Strict Transport Security
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
*
* Please ensure your website had set up ssl/tls before enable hsts.
*/
'hsts' => [
'enable' => true,
'max-age' => 15552000,
'include-sub-domains' => true,
'preload' => false,
],
/*
* Expect-CT
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
*/
'expect-ct' => [
'enable' => false,
'max-age' => 2147483648,
'enforce' => false,
'report-uri' => null,
],
/*
* Public Key Pinning
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
*
* hpkp will be ignored if hashes is empty.
*/
'hpkp' => [
'hashes' => [
// 'sha256-hash-value',
],
'include-sub-domains' => false,
'max-age' => 15552000,
'report-only' => false,
'report-uri' => null,
],
/*
* Feature Policy
*
* Reference: https://wicg.github.io/feature-policy/
*/
'feature-policy' => [
'enable' => true,
/*
* Each directive details can be found on:
*
* https://github.com/WICG/feature-policy/blob/master/features.md
*
* 'none', '*' and 'self allow' are mutually exclusive,
* the priority is 'none' > '*' > 'self allow'.
*/
'accelerometer' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'ambient-light-sensor' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'autoplay' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'camera' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'display-capture' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'document-domain' => [
'none' => false,
'*' => true,
'self' => false,
'src' => false,
'allow' => [
// 'url',
],
],
'encrypted-media' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'fullscreen' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'geolocation' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'gyroscope' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'magnetometer' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'microphone' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'midi' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'payment' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'picture-in-picture' => [
'none' => false,
'*' => true,
'self' => false,
'src' => false,
'allow' => [
// 'url',
],
],
'speaker' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'sync-xhr' => [
'none' => false,
'*' => true,
'self' => false,
'src' => false,
'allow' => [
// 'url',
],
],
'usb' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
'vr' => [
'none' => false,
'*' => false,
'self' => true,
'src' => false,
'allow' => [
// 'url',
],
],
],
/*
* Content Security Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
*
* csp will be ignored if custom-csp is not null. To disable csp, set custom-csp to empty string.
*
* Note: custom-csp does not support report-only.
*/
'custom-csp' => null,
'csp' => [
'report-only' => false,
'report-uri' => null,
'block-all-mixed-content' => false,
'upgrade-insecure-requests' => true,
/*
* Please references script-src directive for available values, only `script-src` and `style-src`
* supports `add-generated-nonce`.
*
* Note: when directive value is empty, it will use `none` for that directive.
*/
'script-src' => [
'allow' => [
'https://www.google.com/recaptcha/api.js',
'https://cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js',
'https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/jquery.validate.js',
'https://maps.googleapis.com/maps-api-v3/api/js/39/10/common.js',
'https://maps.googleapis.com/maps-api-v3/api/js/39/10/util.js',
'https://cdnjs.cloudflare.com/ajax/libs/gsap/1.18.0/TweenMax.min.js',
'https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.19.0/additional-methods.js',
'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/ScrollMagic.min.js',
'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/animation.gsap.min.js',
'https://cdnjs.cloudflare.com/ajax/libs/ScrollMagic/2.0.5/plugins/debug.addIndicators.min.js',
'https://connect.facebook.net/en_US/fbevents.js',
],
'hashes' => [
// 'sha256' => [
// 'hash-value',
// ],
],
'nonces' => [
// 'base64-encoded',
],
'schemes' => [
'https:',
],
'self' => true,
'unsafe-inline' => true,
'unsafe-eval' => true,
'strict-dynamic' => false,
'unsafe-hashed-attributes' => false,
// https://www.chromestatus.com/feature/5792234276388864
// 'report-sample' => true,
'add-generated-nonce' => true,
],
'style-src' => [
'allow' => [
'https://fonts.googleapis.com/',
'https://fonts.googleapis.com/css?family=Biryani:200,300,400,500,600,700',
'https://cdnjs.cloudflare.com/ajax/libs/bootstrap-datetimepicker/4.15.35/css/bootstrap-datetimepicker.min.css',
],
'hashes' => [
// 'sha256' => [
// 'hash-value',
// ],
],
'nonces' => [
//
],
'schemes' => [
// 'https:',
],
'self' => true,
'unsafe-inline' => true,
// https://www.chromestatus.com/feature/5792234276388864
// 'report-sample' => true,
'add-generated-nonce' => false,
],
'img-src' => [
'allow' => [
//
],
'schemes' => [
'data:',
'https:',
],
'self' => true,
'data' => true,
],
'default-src' => [
'none',
],
'base-uri' => [
//
],
'connect-src' => [
'allow' => [
'https://' . parse_url(env('APP_URL'), PHP_URL_HOST) . ':8443/socket.io/',
'wss://' . parse_url(env('APP_URL'), PHP_URL_HOST) . ':8443/socket.io/',
],
'self' => true,
],
'font-src' => [
'schemes' => [
'data:',
'https:',
],
'self' => true,
'data' => true,
],
'form-action' => [
'self' => true,
],
'frame-ancestors' => [
//
],
'frame-src' => [
'schemes' => [
'https:',
],
'self' => true,
],
'media-src' => [
'allow' => [
//
],
'self' => true,
],
'object-src' => [
//
],
'worker-src' => [
//
],
'plugin-types' => [
// 'application/x-shockwave-flash',
],
'require-sri-for' => '',
'sandbox' => '',
],
];
Sometimes I have the next error in log file
Trying to get property of non-object in /public_html/vendor/bepsvpt/secure-headers/src/SecureHeadersMiddleware.php:26
I think variable $response has not property headers and it born an exception
Got a warning in Chrome:
"[Deprecation] SharedArrayBuffer will require cross-origin isolation as of M91, around May 2021. See https://developer.chrome.com/blog/enabling-shared-array-buffer/ for more details."
Not found in the package any mentions of the headers that they are talking about:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Hello All,
1.I have configured as per laravel project and security headers comes in first request of website but all other request like loading js and css that does not have configred security headers.
2.Also securityheaders.com still show Big red F for my website (https://workversatile.com)
Can anyone help me ?
Hi,
Is there support for blob: with this package? I am currently using it and I am getting the following error:
Refused to load media from 'blob:https://xxxxxxxx.ngrok.io/31d4ff8f-d69e-48ec-b504-ac8c3cab5909' because it violates the following Content Security Policy directive: "media-src http://*.ngrok.io data:".
Is there way I can have this fixed?
Thanks
This happens when streaming a file to the browser, for example. The header() method is not available on that request type.
Call to undefined method Symfony\Component\HttpFoundation\StreamedResponse::header()
Hackers can exploit known vulnerabilities in Express and Node if they know you’re using it. Express (and other web technologies like PHP) set an X-Powered-By header with every request, indicating what technology powers the server. PHP , for example, sets this, which is a dead giveaway that your server is powered by PHP.
Is it possible to add a option in this package config to enable/disable adding this header?
header_remove("X-Powered-By");
Hi
I'm new in Laravel and I have some questions about your package.
I added
\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,
to $middlewarePriority in Kernel.php
Is that right?
And what should I write in secure-headers.php?
And how can I be sure that I configured it in the right way?
I'm using Laravel 5.8.
Thanks in advanced.
Hey guys,
I have a isue with the secure hearders. I installed it true composer, no problems there. But now it's so secure, i can't even see my bootstrap layout. Should it work on default or i'am missing something? Thanks in advance.
Kudos on a lightweight and well-organized package for handling all the security headers! This is just what I was looking for.
However this package has only one downside: installing it will install illuminate/support into my project, but I don't need that since I'm not running Laravel.
Could the following be moved to a separate package:
This change would make this package more attractive to non-Laravel users and lower maintenance since no dependencies means no dependencies to update down the road.
If that isn't an option or desirable, moving illuminate/support from require
to suggest
would help.
Hello and thanks for the great package. Maybe I'm doing this wrong but imgs I have whitelisted are not showing up.
[Error] Refused to load http://7.t.imgbox.com/nzEqZ9bY.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://5.t.imgbox.com/fqffnT8Y.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://7.t.imgbox.com/nzEqZ9bY.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://5.t.imgbox.com/fqffnT8Y.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://6.t.imgbox.com/ecBXXVws.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://9.t.imgbox.com/pdHrSRyL.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://0.t.imgbox.com/uxFAAuEd.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://6.t.imgbox.com/4ZFjwTBc.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://3.t.imgbox.com/e0a7Dyf8.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://2.t.imgbox.com/43n4c49A.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://assets.fanart.tv/fanart/movies/269149/moviebackground/zootopia-56b0a4adcd559.jpg because it does not appear in the img-src directive of the Content Security Policy.
[Error] Refused to load http://assets.fanart.tv/fanart/movies/269149/movieposter/zootopia-573f3f2c6d6ee.jpg because it does not appear in the img-src directive of the Content Security Policy.
This is my CSP config
<?php
return [
/*
* X-Content-Type-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
*
* Available Value: 'nosniff'
*/
'x-content-type-options' => 'nosniff',
/*
* X-Download-Options
*
* Reference: https://msdn.microsoft.com/en-us/library/jj542450(v=vs.85).aspx
*
* Available Value: 'noopen'
*/
'x-download-options' => 'noopen',
/*
* X-Frame-Options
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
*
* Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
*/
'x-frame-options' => 'sameorigin',
/*
* X-Permitted-Cross-Domain-Policies
*
* Reference: https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
*
* Available Value: 'all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename'
*/
'x-permitted-cross-domain-policies' => 'none',
/*
* X-XSS-Protection
*
* Reference: https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter
*
* Available Value: '1', '0', '1; mode=block'
*/
'x-xss-protection' => '1; mode=block',
/*
* Referrer-Policy
*
* Reference: https://w3c.github.io/webappsec-referrer-policy
*
* Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
* 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
*/
'referrer-policy' => 'strict-origin-when-cross-origin',
/*
* HTTP Strict Transport Security
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
*
* Please ensure your website had set up ssl/tls before enable hsts.
*/
'hsts' => [
'enable' => true,
'max-age' => 15552000,
'include-sub-domains' => false,
],
/*
* Public Key Pinning
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
*
* hpkp will be ignored if hashes is empty.
*/
'hpkp' => [
'hashes' => [
// [
// 'algo' => 'sha256',
// 'hash' => 'hash-value',
// ],
],
'include-sub-domains' => false,
'max-age' => 15552000,
'report-only' => false,
'report-uri' => null,
],
/*
* Content Security Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
*
* csp will be ignored if custom-csp is not null. To disable csp, set custom-csp to empty string.
*
* Note: custom-csp does not support report-only.
*/
'custom-csp' => null,
'csp' => [
'report-only' => false,
'report-uri' => null,
'upgrade-insecure-requests' => false,
'base-uri' => [
//
],
'default-src' => [
'self' => true,
],
'child-src' => [
//
],
'script-src' => [
'allow' => [
'cdnjs.cloudflare.com',
'cdn.bootcss.com',
'cdn.datatables.net',
'ajax.googleapis.com',
'maxcdn.bootstrapcdn.com',
],
'hashes' => [
// ['sha256' => 'hash-value'],
],
'nonces' => [
//
],
'self' => true,
'unsafe-inline' => true,
'unsafe-eval' => false,
],
'style-src' => [
'allow' => [
'cdn.bootcss.com',
'fonts.googleapis.com',
'cdn.rawgit.com',
'maxcdn.bootstrapcdn.com',
'cdnjs.cloudflare.com',
'ajax.googleapis.com',
],
'self' => true,
'unsafe-inline' => true,
],
'img-src' => [
'allow' => [
'*.imgur.com',
'*.imgbox.com',
'assets.fanart.tv',
],
'types' => [
'gif',
'png',
],
'self' => true,
'data' => true,
],
/*
* The following directives are all use 'allow' and 'self' flag.
*
* Note: default value of 'self' flag is false.
*/
'font-src' => [
'allow' => [
'fonts.googleapis.com',
'fonts.gstatic.com',
'cdn.rawgit.com',
'maxcdn.bootstrapcdn.com',
],
'self' => true,
],
'connect-src' => [
'allow' => [
'www.omdbapi.com',
],
'self' => true,
],
'form-action' => [
'self' => true,
],
'frame-ancestors' => [
'self' => true,
],
'media-src' => [
'self' => true,
],
'object-src' => [
'self' => true,
],
/*
* plugin-types only support 'allow'.
*/
'plugin-types' => [
//
],
],
];
Thanks for making this awesome open source library!
I'm in the process of upgrading an app to Laravel 5.3 and version 2.0.0 of laravel-security-header. We've run into issues because we were using conditional logic (based on APP_ENV
) to generate distinct CSP directives and enable different features for development vs. production environments. Now that the config is in a JSON file, it's become much more difficult to conditionally define rulesets as we were previously. I believe Laravel packages traditionally use PHP config files for this reason. Would you consider reverting to a PHP config?
Not sure if something changed under the hood for this, but the CSP on a site of mine is no longer recognized, even though I've still got the CSP set to an empty string. Any idea on that?
Just running the sites through https://securityheaders.com/ to verify this.
Error parsing header X-XSS-Protection: 1; mode=block, 1; mode=block: expected semicolon at character position 13. The default protections will be applied.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.