PHPackages jcaillot/owasp-headers - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Framework](/categories/framework) 4. / 5. jcaillot/owasp-headers ActiveLibrary[Framework](/categories/framework) jcaillot/owasp-headers ====================== Laravel middleware. Adds OWASP recommended headers to the response, v1.3(4y ago)112MITPHPPHP ^7.4 || ^8.0 Since Oct 1Pushed 4y ago1 watchersCompare [ Source](https://github.com/jcaillot/owasp-headers)[ Packagist](https://packagist.org/packages/jcaillot/owasp-headers)[ RSS](/packages/jcaillot-owasp-headers/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (2)Dependencies (4)Versions (3)Used By (0) jcaillot/owasp-headers ====================== [](#jcaillotowasp-headers) ### OWASP header middleware for the Laravel framework [](#owasp-header-middleware-for-the-laravel-framework) > Laravel middleware. Adds OWASP recommended headers to the response Prerequisites ------------- [](#prerequisites) > Laravel >= 5.2 Installation ------------ [](#installation) #### 1. install library [](#1-install-library) ``` composer require jcaillot/owasp-headers ``` #### 2. Edit the config file [](#2-edit-the-config-file) copy `./vendor/jcaillot/owasp-headers/config/owasp-headers-example.php` to `./config/owasp-headers-php`in your app config directory: ``` php -r "copy( 'vendor/jcaillot/owasp-headers/config/owasp-headers-example.php', 'config/owasp-headers.php');" ``` Do not hesitate to edit your version of `./config/owasp-headers.php` in order to fine-tune the OWASP recommended headers. CAUTION: Headers like: HTTP Strict Transport Security (HSTS) and Content Security Policy (CSP) need a special attention in order not to cause any incident. Here is the default list of headers that will be added to the response: ``` return [ 'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload', # Prevents the browser from interpreting files as something else than declared by the content type: 'X-Content-Type-Option' => 'nosniff', 'Content-Type' => 'text/html; charset=utf-8', # Enables the Cross-site scripting (XSS) filter in the browser: 'X-XSS-Protection' => '1; mode=block', # The browser must not display the transmitted content in frames: 'X-Frame-Options' => 'DENY', # No XML policy file( (for Flash or Acrobat) allowed: # see https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html 'X-Permitted-Cross-Domain-Policies' => 'none', # Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included: 'Referrer-Policy' => 'same-origin', # Content Security Policy (CSP) requires careful tuning # see https://csp-evaluator.withgoogle.com # example: 'Content-Security-Policy' => 'default-src \'self\'; img-src \'self\'; script-src \'self\'; frame-ancestors \'none\'', 'Content-Security-Policy' => 'frame-ancestors \'none\'', # Selectively enable and disable use of various browser features and APIs 'Feature-Policy' => 'camera: \'none\'; payment: \'none\'; microphone: \'none\'', ]; ``` #### 3. Declare the middleware in Kernel [](#3-declare-the-middleware-in-kernel) in `app/Kernel.php`, you can declare the middleware globally. All responses will be affected: ``` protected $middleware = [ ... \Chaman\Http\Middleware\OwaspHeaders::class, ]; ``` alternatively, you can declare it as a route middleware and associate it on a route basis: ``` protected routeMiddleware = [ ... 'owasp.headers' => \Chaman\Http\Middleware\OwaspHeaders::class, ]; ``` And apply it later on on any route (in `routes/web.php`): ``` Route::get('/home', function () { ... })->middleware('owasp.headers'); ``` About OWASP recommender headers ------------------------------- [](#about-owasp-recommender-headers) More infos on OWASP recommended headers can be found on the OWASP Secure Headers Project Wiki: [OWASP](https://owasp.org/www-project-secure-headers/) License ------- [](#license) [MIT](https://choosealicense.com/licenses/mit/) ### Health Score 25 — LowBetter than 37% of packages Maintenance20 Infrequent updates — may be unmaintained Popularity7 Limited adoption so far Community7 Small or concentrated contributor base Maturity56 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~40 days Total 2 Last Release 1650d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/55d128e145861bd2b84352101807005a5c1bca03fdced11b251c6c4e5855d102?d=identicon)[jcaillot](/maintainers/jcaillot) --- Top Contributors [![jcaillot](https://avatars.githubusercontent.com/u/22201753?v=4)](https://github.com/jcaillot "jcaillot (7 commits)") --- Tags httpmiddlewareframeworklaravelheadersowasp ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StylePHP CS Fixer Type Coverage Yes ### Embed Badge ![Health badge](/badges/jcaillot-owasp-headers/health.svg) ``` [![Health](https://phpackages.com/badges/jcaillot-owasp-headers/health.svg)](https://phpackages.com/packages/jcaillot-owasp-headers) ``` ### Alternatives [laravel-lang/common Easily connect the necessary language packs to the application 1463.1M22](/packages/laravel-lang-common)[codewithdennis/larament Larament is a time-saving starter kit to quickly launch Laravel 13.x projects. It includes FilamentPHP 5.x pre-installed and configured, along with additional tools and features to streamline your development workflow. 3691.5k](/packages/codewithdennis-larament)[kompo/kompo Laravel & Vue.js FullStack Components for Rapid Application Development 11812.4k21](/packages/kompo-kompo) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)