PHPackages jeffersongoncalves/laravel-security-headers - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. jeffersongoncalves/laravel-security-headers ActiveLibrary[Security](/categories/security) jeffersongoncalves/laravel-security-headers =========================================== This Laravel package stamps a configurable set of baseline security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy, Cross-Origin-Opener-Policy, X-Permitted-Cross-Domain-Policies and HSTS) onto your HTTP responses via a single middleware. Every header value and the full CSP directive map are driven by config, so you can tune or disable each one without touching code. 10PHPCI passing Since Jun 20Pushed today1 watchersCompare [ Source](https://github.com/jeffersongoncalves/laravel-security-headers)[ Packagist](https://packagist.org/packages/jeffersongoncalves/laravel-security-headers)[ RSS](/packages/jeffersongoncalves-laravel-security-headers/feed)WikiDiscussions master Synced today READMEChangelog (2)DependenciesVersions (2)Used By (0) [![Laravel Security Headers](https://raw.githubusercontent.com/jeffersongoncalves/laravel-security-headers/master/art/jeffersongoncalves-laravel-security-headers.png)](https://raw.githubusercontent.com/jeffersongoncalves/laravel-security-headers/master/art/jeffersongoncalves-laravel-security-headers.png) Laravel Security Headers ======================== [](#laravel-security-headers) [![Latest Version on Packagist](https://camo.githubusercontent.com/929f00085a8dd5070afe677dc5ad2fd74ec222af97b6fb01e2af29423dd64187/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d73656375726974792d686561646572732e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/jeffersongoncalves/laravel-security-headers)[![GitHub Tests Action Status](https://camo.githubusercontent.com/68d8778a9d777df9be851f9d120f9eae32bf8a9effd009e3236f2bfcf9a7cc5f/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d73656375726974792d686561646572732f72756e2d74657374732e796d6c3f6272616e63683d6d6173746572266c6162656c3d7465737473267374796c653d666c61742d737175617265)](https://github.com/jeffersongoncalves/laravel-security-headers/actions?query=workflow%3Arun-tests+branch%3Amaster)[![GitHub Code Style Action Status](https://camo.githubusercontent.com/a66ef8c2e5828feff1f23b4641accf4c4ede73f2e0a135009a81d690507c74ef/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d73656375726974792d686561646572732f6669782d7068702d636f64652d7374796c652d6973737565732e796d6c3f6272616e63683d6d6173746572266c6162656c3d636f64652532307374796c65267374796c653d666c61742d737175617265)](https://github.com/jeffersongoncalves/laravel-security-headers/actions?query=workflow%3A%22Fix+PHP+code+styling%22+branch%3Amaster)[![Total Downloads](https://camo.githubusercontent.com/c4ce08a5bd48d279990807e1230c7cfc40fb2b63381de3f23c13a7ac27fe1cce/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6a6566666572736f6e676f6e63616c7665732f6c61726176656c2d73656375726974792d686561646572732e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/jeffersongoncalves/laravel-security-headers) This Laravel package stamps a configurable set of baseline security headers onto your HTTP responses via a single middleware. Every header value and the full Content-Security-Policy directive map are driven by `config/security-headers.php`, so you can tune or disable each one without touching code. The headers it manages: - `X-Content-Type-Options` - `X-Frame-Options` - `Referrer-Policy` - `Permissions-Policy` - `Content-Security-Policy` - `Cross-Origin-Opener-Policy` - `X-Permitted-Cross-Domain-Policies` - `Strict-Transport-Security` (HSTS) — only over real HTTPS and never in the `local` environment Installation ------------ [](#installation) You can install the package via composer: ``` composer require jeffersongoncalves/laravel-security-headers ``` You can publish the config file with: ``` php artisan vendor:publish --tag="laravel-security-headers-config" ``` Usage ----- [](#usage) The package ships a single middleware: `JeffersonGoncalves\SecurityHeaders\Middleware\SecurityHeaders`. Register it however you apply security to your responses. Place it as the **outermost** middleware of the group you want protected so it also stamps cached (HIT) responses produced further down the stack. ### Register an alias and/or apply to a group (Laravel 11+) [](#register-an-alias-andor-apply-to-a-group-laravel-11) In `bootstrap/app.php`: ``` use Illuminate\Foundation\Configuration\Middleware; use JeffersonGoncalves\SecurityHeaders\Middleware\SecurityHeaders; ->withMiddleware(function (Middleware $middleware) { // Apply to the whole web group... $middleware->web(prepend: [ SecurityHeaders::class, ]); // ...or register an alias and attach it per route/group. $middleware->alias([ 'security-headers' => SecurityHeaders::class, ]); }) ``` Then, with the alias, on a route or group: ``` Route::middleware('security-headers')->group(function () { // ... }); ``` ### Legacy kernel (Laravel 10 style) [](#legacy-kernel-laravel-10-style) Add the middleware to a group in `app/Http/Kernel.php`: ``` protected $middlewareGroups = [ 'web' => [ \JeffersonGoncalves\SecurityHeaders\Middleware\SecurityHeaders::class, // ... ], ]; ``` Configuration ------------- [](#configuration) After publishing, `config/security-headers.php` exposes three blocks. ### Static headers [](#static-headers) Each entry is stamped onto every response. Set any value to `null` to **skip** that header: ``` 'headers' => [ 'X-Content-Type-Options' => 'nosniff', 'X-Frame-Options' => 'SAMEORIGIN', 'Referrer-Policy' => 'strict-origin-when-cross-origin', 'Permissions-Policy' => 'camera=(), microphone=(), geolocation=(), payment=(), usb=(), browsing-topics=()', 'Cross-Origin-Opener-Policy' => 'same-origin-allow-popups', // Disable a header by setting it to null: 'X-Permitted-Cross-Domain-Policies' => null, ], ``` ### Customizing the Content-Security-Policy [](#customizing-the-content-security-policy) The CSP header is assembled from the associative `directives` map, **preserving order**. A value may be a string or an array of source expressions. A directive whose value is `null` (or an empty string) is emitted as a *valueless* directive (e.g. `upgrade-insecure-requests`). Set `csp.enabled` to `false` to drop the header entirely: ``` 'csp' => [ 'enabled' => true, 'directives' => [ 'default-src' => "'self'", 'script-src' => ["'self'", "'unsafe-inline'", 'https://www.googletagmanager.com'], 'img-src' => "'self' data: https:", 'frame-ancestors' => "'self'", 'object-src' => "'none'", 'upgrade-insecure-requests' => null, // valueless directive ], ], ``` ### HSTS [](#hsts) `Strict-Transport-Security` is only stamped over real HTTPS and never while the app is in the `local` environment (a cached `max-age` on a `*.test` domain is a pain to undo): ``` 'hsts' => [ 'enabled' => true, 'max-age' => 31536000, 'include-subdomains' => true, 'preload' => true, ], ``` Security caveat: the CSP is not an XSS backstop ----------------------------------------------- [](#security-caveat-the-csp-is-not-an-xss-backstop) The default CSP is deliberately permissive on `script-src`/`style-src` — it keeps `'unsafe-inline'` and `'unsafe-eval'` so inline Google Tag Manager / gtag and Alpine.js (which evaluates expressions via `new Function`) keep working. The protective value is in the **structural** directives: `frame-ancestors` (clickjacking), `object-src 'none'`, `base-uri`/`form-action` lock-down, and `upgrade-insecure-requests`. Because `'unsafe-inline'`/`'unsafe-eval'` remain, **this CSP is NOT the XSS backstop** for any untrusted HTML you render (third-party content, imported article bodies, READMEs, etc.). Pair it with output sanitization (for example `symfony/html-sanitizer`) for any such markup — do not treat a permissive script/style CSP as a compensating control. If you do not need inline scripts, tighten `script-src`/`style-src` (drop `'unsafe-inline'`/`'unsafe-eval'`, adopt nonces/hashes). Testing ------- [](#testing) ``` composer test ``` Changelog --------- [](#changelog) Please see [CHANGELOG](CHANGELOG.md) for more information on what has changed recently. Contributing ------------ [](#contributing) Please see [CONTRIBUTING](.github/CONTRIBUTING.md) for details. Security Vulnerabilities ------------------------ [](#security-vulnerabilities) Please review [our security policy](../../security/policy) on how to report security vulnerabilities. Credits ------- [](#credits) - [Jèfferson Gonçalves](https://github.com/jeffersongoncalves) - [All Contributors](../../contributors) License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 22 — LowBetter than 21% of packages Maintenance65 Regular maintenance activity Popularity2 Limited adoption so far Community9 Small or concentrated contributor base Maturity13 Early-stage or recently created project Bus Factor1 Top contributor holds 83.3% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Community Maintainers ![](https://avatars.githubusercontent.com/u/411493?v=4)[Jefferson Gonçalves](/maintainers/jeffersongoncalves)[@jeffersongoncalves](https://github.com/jeffersongoncalves) --- Top Contributors [![jeffersongoncalves](https://avatars.githubusercontent.com/u/411493?v=4)](https://github.com/jeffersongoncalves "jeffersongoncalves (5 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (1 commits)") --- Tags composercsphstsjeffersongoncalveslaravellaravel-packagemiddlewarephpsecuritysecurity-headers ### Embed Badge ![Health badge](/badges/jeffersongoncalves-laravel-security-headers/health.svg) ``` [![Health](https://phpackages.com/badges/jeffersongoncalves-laravel-security-headers/health.svg)](https://phpackages.com/packages/jeffersongoncalves-laravel-security-headers) ``` ### Alternatives [mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k18.0M134](/packages/mews-purifier)[paragonie/ecc PHP Elliptic Curve Cryptography library 24772.0k35](/packages/paragonie-ecc)[fof/recaptcha Increase your forum's security with Google reCAPTCHA 1436.9k](/packages/fof-recaptcha)[thomaswelton/laravel-mcrypt-faker Allows installation of Laravel where the PHP Mcrypt extension is not available. Provides encryption using OpenSSL, or by disabling encryption entierly. 114.0k](/packages/thomaswelton-laravel-mcrypt-faker) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)