PHPackages                             jvmtech/flow-security-headers - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. jvmtech/flow-security-headers

ActiveNeos-plugin[Security](/categories/security)

jvmtech/flow-security-headers
=============================

PSR-15 middleware for Neos Flow that adds configurable security headers (CSP, X-Frame-Options, X-Content-Type-Options, etc.) to every HTTP response.

0.1.0(2mo ago)01MITPHP

Since Feb 27Pushed 2mo agoCompare

[ Source](https://github.com/jvm-tech/Flow.SecurityHeaders)[ Packagist](https://packagist.org/packages/jvmtech/flow-security-headers)[ RSS](/packages/jvmtech-flow-security-headers/feed)WikiDiscussions main Synced 1mo ago

READMEChangelogDependencies (1)Versions (2)Used By (0)

JvMTECH.Flow.SecurityHeaders
============================

[](#jvmtechflowsecurityheaders)

PSR-15 middleware for [Neos Flow](https://flow.neos.io) that adds configurable security headers to every HTTP response.

Features
--------

[](#features)

- Context-aware header values — apply different sources for the Neos backend, development, and [Monocle](https://github.com/sitegeist/Sitegeist.Monocle)
- Fully configurable contexts via Settings.yaml — no hardcoded paths
- Variable substitution in header values (`{HTTP_HOST}`, `{REQUEST_URI}`, `{FLOW_CONTEXT}`)
- Ships with strict defaults; extend per project via Settings.yaml

Installation
------------

[](#installation)

```
composer require jvmtech/security-headers
```

Default headers
---------------

[](#default-headers)

HeaderDefault value`Content-Security-Policy`Strict `'self'`-only policy with Neos backend overrides`X-Frame-Options``SAMEORIGIN``X-Content-Type-Options``nosniff`The middleware runs `after routing`, meaning any IP allowlist middleware at the routing step executes before security headers are applied.

Contexts
--------

[](#contexts)

Contexts are named conditions evaluated against each request. For each directive, the **highest-position active context** that defines a value wins exclusively — its value is used as-is, with no concatenation. `default` (position 0) is the fallback when no higher-priority context defines a value for that directive. If the winning context doesn't define a value for a given directive, the next highest-position active context is tried.

### Built-in contexts

[](#built-in-contexts)

ContextPositionActive when`default`0 (implicit)Always`backendOrDevelopment`100URI starts with `/neos/` **or** `FLOW_CONTEXT` is `Development``backend`200URI starts with `/neos/``development`200`FLOW_CONTEXT` is `Development`### Defining custom contexts

[](#defining-custom-contexts)

Add to your site package's `Configuration/Settings.yaml`:

```
JvMTECH:
  Flow:
    SecurityHeaders:
      contexts:
        api:
          position: 300
          uriPrefixes: ['/api/', '/graphql/']
        staging:
          position: 150
          flowContexts: ['Production/Staging']
        apiInDevelopment:
          position: 400
          uriPrefixes: ['/api/']
          flowContexts: ['Development']
          # operator: 'and' is the default
        backendOrStaging:
          position: 100
          uriPrefixes: ['/neos/']
          flowContexts: ['Production/Staging']
          operator: 'or'
```

Each context supports:

KeyDescription`position`Integer priority; higher position wins when multiple contexts match (default: `100`)`uriPrefixes`List of URI prefixes — active if the request URI starts with **any** of them`flowContexts`List of Flow contexts — active if `FLOW_CONTEXT` matches **any** of them (exact match or subcontext, e.g. `Production` matches `Production/Staging`)`operator``and` (default) — both conditions must match; `or` — either condition sufficesIf only `uriPrefixes` is set, only the URI is checked. If only `flowContexts` is set, only the context is checked.

Header configuration
--------------------

[](#header-configuration)

Override any header value in your site package's `Configuration/Settings.yaml`. All keys are merged, so you only need to specify what differs from the defaults.

```
JvMTECH:
  SecurityHeaders:
    Headers:
      Content-Security-Policy:
        img-src:
          default: "'self' data: i.ytimg.com www.youtube.com"
          monocle: "picsum.photos fastly.picsum.photos"
        frame-src: "'self' youtube.com www.youtube.com player.vimeo.com"
        report-uri: "/csp-violation-report/"
      Strict-Transport-Security: "max-age=7776000; includeSubDomains"
```

For context-aware CSP directives, use a map keyed by context name. All active contexts for the current request are concatenated:

```
script-src-elem:
  default: "'self' cdn.example.com"
  backend: "'unsafe-inline'"
  development: "'unsafe-inline' cdn.tailwindcss.com"
  myCustomContext: "extra.example.com"
```

### Variable substitution

[](#variable-substitution)

The following placeholders are replaced at runtime inside any header value:

PlaceholderReplaced with`{HTTP_HOST}`Current HTTP host`{REQUEST_URI}`Current request URI`{FLOW_CONTEXT}`Current Flow context

###  Health Score

29

—

LowBetter than 59% of packages

Maintenance84

Actively maintained with recent releases

Popularity1

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity24

Early-stage or recently created project

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

80d ago

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/56817323?v=4)[jvmtech](/maintainers/jvmtech)[@Jvmtech](https://github.com/Jvmtech)

---

Top Contributors

[![c4ll-m3-j4ck](https://avatars.githubusercontent.com/u/7119811?v=4)](https://github.com/c4ll-m3-j4ck "c4ll-m3-j4ck (2 commits)")

### Embed Badge

![Health badge](/badges/jvmtech-flow-security-headers/health.svg)

```
[![Health](https://phpackages.com/badges/jvmtech-flow-security-headers/health.svg)](https://phpackages.com/packages/jvmtech-flow-security-headers)
```

###  Alternatives

[defuse/php-encryption

Secure PHP Encryption Library

3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier

Laravel 5/6/7/8/9/10 HtmlPurifier Package

2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs

A PHP library for XML Security

41478.1M118](/packages/robrichards-xmlseclibs)[bjeavons/zxcvbn-php

Realistic password strength estimation PHP library based on Zxcvbn JS

87117.5M63](/packages/bjeavons-zxcvbn-php)[illuminate/encryption

The Illuminate Encryption package.

9229.7M280](/packages/illuminate-encryption)[paragonie/hidden-string

Encapsulate strings in an object to hide them from stack traces

7410.6M39](/packages/paragonie-hidden-string)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)