PHPackages                             softspring/response-headers - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [HTTP &amp; Networking](/categories/http)
4. /
5. softspring/response-headers

ActiveLibrary[HTTP &amp; Networking](/categories/http)

softspring/response-headers
===========================

This component provides response headers configuration for Symfony projects

v5.5.6(10mo ago)09.3k↓50%AGPL-3.0-or-laterPHPPHP &gt;=8.1CI passing

Since Jul 20Pushed 2mo ago1 watchersCompare

[ Source](https://github.com/softspring/response-headers)[ Packagist](https://packagist.org/packages/softspring/response-headers)[ RSS](/packages/softspring-response-headers/feed)WikiDiscussions 6.0 Synced 1mo ago

READMEChangelog (10)Dependencies (16)Versions (140)Used By (0)

Response headers component
==========================

[](#response-headers-component)

[![Latest Stable](https://camo.githubusercontent.com/67f371636a06922961858147f712ddcd5067929185feeb21bccafb55d39ff700/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f736f6674737072696e672f726573706f6e73652d686561646572733f6c6162656c3d737461626c65267374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/67f371636a06922961858147f712ddcd5067929185feeb21bccafb55d39ff700/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f736f6674737072696e672f726573706f6e73652d686561646572733f6c6162656c3d737461626c65267374796c653d666c61742d737175617265)[![Latest Unstable](https://camo.githubusercontent.com/84abc76be7f5d6b07499a0ff34c0e1cd1f03ef826c9c214ec276ad906580256c/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f736f6674737072696e672f726573706f6e73652d686561646572733f6c6162656c3d756e737461626c65267374796c653d666c61742d73717561726526696e636c7564655f70726572656c6561736573)](https://camo.githubusercontent.com/84abc76be7f5d6b07499a0ff34c0e1cd1f03ef826c9c214ec276ad906580256c/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f736f6674737072696e672f726573706f6e73652d686561646572733f6c6162656c3d756e737461626c65267374796c653d666c61742d73717561726526696e636c7564655f70726572656c6561736573)[![License](https://camo.githubusercontent.com/21b46cd15058fe7887e1283183ad7824fa12dc2dc236e750d57f919f4a61d83a/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f736f6674737072696e672f726573706f6e73652d686561646572733f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/21b46cd15058fe7887e1283183ad7824fa12dc2dc236e750d57f919f4a61d83a/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f736f6674737072696e672f726573706f6e73652d686561646572733f7374796c653d666c61742d737175617265)[![PHP Version](https://camo.githubusercontent.com/cc8c9e21ebda885d3db48ed142c74e57b7337a9bc800d68a8c66733823c4ff14/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f646570656e64656e63792d762f736f6674737072696e672f726573706f6e73652d686561646572732f7068703f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/cc8c9e21ebda885d3db48ed142c74e57b7337a9bc800d68a8c66733823c4ff14/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f646570656e64656e63792d762f736f6674737072696e672f726573706f6e73652d686561646572732f7068703f7374796c653d666c61742d737175617265)[![Downloads](https://camo.githubusercontent.com/6d9a738e0c300856fe705ad5e6f8546faaad02b39dc7475fef7464628d33d0a0/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f736f6674737072696e672f726573706f6e73652d686561646572733f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/6d9a738e0c300856fe705ad5e6f8546faaad02b39dc7475fef7464628d33d0a0/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f736f6674737072696e672f726573706f6e73652d686561646572733f7374796c653d666c61742d737175617265)[![CI](https://camo.githubusercontent.com/0fabec04d3c00fed0b731caff9089cbf7580a2ff6ee4b5ee4d18ca8eed816acb/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f736f6674737072696e672f726573706f6e73652d686561646572732f63692e796d6c3f6272616e63683d362e30267374796c653d666c61742d737175617265266c6162656c3d4349)](https://github.com/softspring/response-headers/actions/workflows/ci.yml)[![Coverage](https://raw.githubusercontent.com/softspring/response-headers/6.0/.github/badges/coverage.svg)](https://raw.githubusercontent.com/softspring/response-headers/6.0/.github/badges/coverage.svg)

This component, made for Symfony, allows to set response headers defining them in configuration.

Installation
------------

[](#installation)

### Applications that use Symfony Flex

[](#applications-that-use-symfony-flex)

Open a command console, enter your project directory and execute:

```
$ composer require softspring/response-headers
```

Basic configuration
-------------------

[](#basic-configuration)

Create a configuration file:

```
# config/packages/response_headers.yaml
parameters:
    response_headers:
        X-Frame-Options: "SAMEORIGIN"
        X-Content-Type-Options: "nosniff"

services:
    Softspring\Component\ResponseHeaders\EventListener\ResponseHeadersListener:
        tags: ['kernel.event_subscriber']
        arguments:
            $headers: '%response_headers%'
```

Use conditions
--------------

[](#use-conditions)

You can set some conditions to match before applying response headers.

### Configure services

[](#configure-services)

For this feature expression language component is required:

```
$ composer require symfony/expression-language
```

Then you must configure expression language service:

```
# config/packages/response_headers.yaml
parameters:
    response_headers_global_conditions: []
    response_headers:
        ...

services:
    softspring.response_headers.expression_language:
        class: Symfony\Component\ExpressionLanguage\ExpressionLanguage
        arguments:
            - '@?Psr\Cache\CacheItemPoolInterface'

    Softspring\Component\ResponseHeaders\EventListener\ResponseHeadersListener:
        tags: ['kernel.event_subscriber']
        arguments:
            $headers: '%response_headers%'
            $expressionLanguage: '@softspring.response_headers.expression_language'
            $globalConditions: '%response_headers_global_conditions%'
```

### Define conditions

[](#define-conditions)

Now you can set a condition to be matched before applying a response header:

```
# config/packages/response_headers.yaml
parameters:
    response_headers:
        X-Frame-Options:
            value: "SAMEORIGIN"
            condition: "request.getPathInfo() matches '^/admin'"
        Access-Control-Allow-Origin:
            value: "*"
            condition: "request.getPathInfo() matches '^/api'"
```

### Define global conditions

[](#define-global-conditions)

Also you can set global conditions to be matched for every headers:

```
# config/packages/response_headers.yaml
parameters:
    response_headers_global_conditions:
        - 'isMainRequest'
```

This global condition is recommended, to avoid setting headers for sub-requests, but it's not mandatory.

### Build conditions

[](#build-conditions)

For the conditions, **request** and **response** objects are available. Also a **isMainRequest** variable is defined.

Check Symfony [expression-language documentation](https://symfony.com/doc/current/components/expression_language/syntax.html).

Headers configuration reference
-------------------------------

[](#headers-configuration-reference)

There are several ways to define headers:

**Single value header**

```
# config/packages/response_headers.yaml
parameters:
    response_headers:
        X-Frame-Options: "SAMEORIGIN"
```

This code generates a *x-frame-options: "SAMEORIGIN"* header.

**Multiple value header**

Multiple value headers, will be merged to a single string delimited by semicolons

```
# config/packages/response_headers.yaml
parameters:
    response_headers:
        Feature-Policy:
            - "geolocation 'self'"
            - "vibrate 'none'"
```

This code generates a *feature-policy: "geolocation 'self'; vibrate 'none'"* header.

**Value field**

Also you can define the values into a *value* field:

```
# config/packages/response_headers.yaml
parameters:
    response_headers:
        X-Frame-Options:
            value: "SAMEORIGIN"
        Feature-Policy:
            value:
                - "geolocation 'self'"
                - "vibrate 'none'"
```

This *value* field is mandatory if you want to set a condition or a replace behaviour.

**Condition**

As said before, headers could be restricted with conditions:

```
# config/packages/response_headers.yaml
parameters:
    response_headers:
        X-Frame-Options:
            value: "SAMEORIGIN"
            condition: "request.getHost() == 'api.mydomain.com"
```

**Replace behaviour**

Symfony response allows to define if a header must replace a previous defined header value.

By default, this replace behaviour is defined as true. But you can disable it using:

```
# config/packages/response_headers.yaml
parameters:
    response_headers:
        X-Frame-Options:
            value: "SAMEORIGIN"
            replace: false
```

Common security headers
-----------------------

[](#common-security-headers)

This is an example witch defines common security headers:

```
# config/packages/response_headers.yaml
parameters:
    response_headers_global_conditions:
        - 'isMainRequest'
    response_headers:
        X-XSS-Protection:
            - "1"
            - "mode=block"
        X-Frame-Options: "SAMEORIGIN"
        X-Content-Type-Options: "nosniff"
        Strict-Transport-Security:
            - "max-age=31536000"
            - "includeSubDomains"
        Referrer-Policy: "same-origin"
        Feature-Policy:
            - "geolocation 'self'"
            - "vibrate 'none'"
            # ... include every feature the application uses.
        Content-Security-Policy:
            - "default-src 'none'"
            - "img-src 'self'"
            - "font-src 'self'"
            - "manifest-src 'self'"
            - "frame-src 'self'"
            - "script-src 'self' 'unsafe-inline'"
            - "style-src 'self' 'unsafe-inline'"
            - "connect-src 'self'"
```

Check Content-Security-Policy to include every base urls with services you use. Also try to avoid *unsafe-inline* configuration, this is up to your project.

License
-------

[](#license)

This package is free and released under the [AGPL-3.0 license](LICENSE).

###  Health Score

49

—

FairBetter than 95% of packages

Maintenance72

Regular maintenance activity

Popularity24

Limited adoption so far

Community10

Small or concentrated contributor base

Maturity74

Established project with proven stability

 Bus Factor1

Top contributor holds 81.3% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~10 days

Recently: every ~68 days

Total

138

Last Release

54d ago

Major Versions

v5.5.0-rc7 → 6.0.x-dev2026-03-25

PHP version history (4 changes)v5.0.0-alpha3PHP &gt;=7.4

v5.0.0PHP &gt;=8.0

v5.2.0-rc4PHP &gt;=8.1

6.0.x-devPHP &gt;=8.4

### Community

Maintainers

![](https://www.gravatar.com/avatar/64ac79c0e14e0dd67af72d74bd3531606fb0484230c519a35682d54490f9be5b?d=identicon)[softspring](/maintainers/softspring)

---

Top Contributors

[![javihgil](https://avatars.githubusercontent.com/u/2581053?v=4)](https://github.com/javihgil "javihgil (61 commits)")[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4)](https://github.com/github-actions[bot] "github-actions[bot] (8 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (6 commits)")

---

Tags

componentsymfony

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan, Rector

Code StylePHP CS Fixer

Type Coverage Yes

### Embed Badge

![Health badge](/badges/softspring-response-headers/health.svg)

```
[![Health](https://phpackages.com/badges/softspring-response-headers/health.svg)](https://phpackages.com/packages/softspring-response-headers)
```

###  Alternatives

[symfony/http-kernel

Provides a structured process for converting a Request into a Response

8.1k822.4M6.8k](/packages/symfony-http-kernel)[friendsofsymfony/http-cache

Tools to manage HTTP caching proxies with PHP

36114.7M36](/packages/friendsofsymfony-http-cache)[gos/web-socket-bundle

Symfony Web Socket Bundle

6202.2M8](/packages/gos-web-socket-bundle)[bitrix24/b24phpsdk

An official PHP library for the Bitrix24 REST API

9230.2k4](/packages/bitrix24-b24phpsdk)[api-platform/http-cache

API Platform HttpCache component

223.2M7](/packages/api-platform-http-cache)[xabbuh/panda-bundle

integration of the Panda encoding services into the Symfony2 Framework

10174.6k](/packages/xabbuh-panda-bundle)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)