PHPackages spatie/laravel-csp - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. spatie/laravel-csp ActiveLibrary[Security](/categories/security) spatie/laravel-csp ================== Add CSP headers to the responses of a Laravel app 3.23.0(2mo ago)8569.6M—3%10016MITPHPPHP ^8.3CI passing Since Feb 17Pushed 1w ago11 watchersCompare [ Source](https://github.com/spatie/laravel-csp)[ Packagist](https://packagist.org/packages/spatie/laravel-csp)[ Docs](https://github.com/spatie/laravel-csp)[ Fund](https://spatie.be/open-source/support-us)[ RSS](/packages/spatie-laravel-csp/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (10)Dependencies (7)Versions (80)Used By (16) [ ![Logo for Laravel CSP](https://camo.githubusercontent.com/28160772983638d2a63baf8e3ff1d93e9798a9270edaee93a23cd89a038d3c4d/68747470733a2f2f7370617469652e62652f7061636b616765732f6865616465722f6c61726176656c2d6373702f68746d6c2f6c696768742e77656270) ](https://spatie.be/open-source?utm_source=github&utm_medium=banner&utm_campaign=laravel-csp)Set content security policy headers in a Laravel app ==================================================== [](#set-content-security-policy-headers-in-a-laravel-app) [![Latest Version on Packagist](https://camo.githubusercontent.com/e23b0c50e99554998c2688746eb33a882c824d78a411fa1aa82edbc493153795/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7370617469652f6c61726176656c2d6373702e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/spatie/laravel-csp)[![GitHub Workflow Status](https://camo.githubusercontent.com/6d62d10a31bb291ae90323b2a334468ed98d5af7f6677358038a1198493c79de/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f7370617469652f6c61726176656c2d6373702f72756e2d74657374732e796d6c3f6272616e63683d6d61696e266c6162656c3d7465737473267374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/6d62d10a31bb291ae90323b2a334468ed98d5af7f6677358038a1198493c79de/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f7370617469652f6c61726176656c2d6373702f72756e2d74657374732e796d6c3f6272616e63683d6d61696e266c6162656c3d7465737473267374796c653d666c61742d737175617265)[![Check & fix styling](https://github.com/spatie/laravel-csp/workflows/Check%20&%20fix%20styling/badge.svg)](https://github.com/spatie/laravel-csp/workflows/Check%20&%20fix%20styling/badge.svg)[![Total Downloads](https://camo.githubusercontent.com/b323cd8865a82626a811bed9ee31043a845bc00d0cee999f2a41d8690d400487/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f7370617469652f6c61726176656c2d6373702e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/spatie/laravel-csp) By default, all scripts on a webpage are allowed to send and fetch data to any site they want. This can be a security problem. Imagine one of your JavaScript dependencies sends all keystrokes, including passwords, to a third party website. It's very easy for someone to hide this malicious behaviour, making it nearly impossible for you to detect it (unless you manually read all the JavaScript code on your site). For a better idea of why you really need to set content security policy headers, read [this excellent blog post](https://medium.com/hackernoon/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5) by [David Gilbertson](https://twitter.com/D__Gilbertson). Setting Content Security Policy headers helps solve this problem. These headers dictate which sites your site is allowed to contact. This package makes it easy for you to set the right headers. This readme does not aim to fully explain all the possible usages of CSP and its directives. We highly recommend that you read [Mozilla's documentation on the Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) before using this package. Another good resource to learn about CSP, is [this edition of the Larasec newsletter](https://larasec.substack.com/p/in-depth-content-security-policy) by Stephen Rees-Carter. Support us ---------- [](#support-us) [![](https://camo.githubusercontent.com/0cec5e65f1ab9abd964221088f6f4b31182311ffc7c0943857beb32ff3e4c23d/68747470733a2f2f6769746875622d6164732e73332e65752d63656e7472616c2d312e616d617a6f6e6177732e636f6d2f6c61726176656c2d6373702e6a70673f743d31)](https://spatie.be/github-ad-click/laravel-csp) We invest a lot of resources into creating [best in class open source packages](https://spatie.be/open-source). You can support us by [buying one of our paid products](https://spatie.be/open-source/support-us). We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on [our contact page](https://spatie.be/about-us). We publish all received postcards on [our virtual postcard wall](https://spatie.be/open-source/postcards). Installation ------------ [](#installation) You can install the package via composer: ``` composer require spatie/laravel-csp ``` You can publish the config-file with: ``` php artisan vendor:publish --tag=csp-config ``` This is the contents of the file which will be published at `config/csp.php`: ``` return [ /* * Presets will determine which CSP headers will be set. A valid CSP preset is * any class that implements `Spatie\Csp\Preset` */ 'presets' => [ Spatie\Csp\Presets\Basic::class, ], /** * Register additional global CSP directives here. */ 'directives' => [ // [Directive::SCRIPT, [Keyword::UNSAFE_EVAL, Keyword::UNSAFE_INLINE]], ], /* * These presets which will be put in a report-only policy. This is great for testing out * a new policy or changes to existing CSP policy without breaking anything. */ 'report_only_presets' => [ // ], /** * Register additional global report-only CSP directives here. */ 'report_only_directives' => [ // [Directive::SCRIPT, [Keyword::UNSAFE_EVAL, Keyword::UNSAFE_INLINE]], ], /* * All violations against a policy will be reported to this url. * A great service you could use for this is https://report-uri.com/ */ 'report_uri' => env('CSP_REPORT_URI', ''), /* * Optional separate report url for the report-only policy. When empty, * the report-only policy falls back to `report_uri` above. */ 'report_only_uri' => env('CSP_REPORT_ONLY_URI', ''), /* * The name of the reporting endpoint that violations should be sent to. * The endpoint itself must be defined in `reporting_endpoints` below. */ 'report_to' => env('CSP_REPORT_TO', ''), /* * Optional separate reporting endpoint name for the report-only policy. * When empty, the report-only policy falls back to `report_to` above. */ 'report_only_to' => env('CSP_REPORT_ONLY_TO', ''), /* * Reporting endpoints that will be sent in the `Reporting-Endpoints` HTTP * header. The keys are the endpoint names that can be referenced from * `report_to` above. */ 'reporting_endpoints' => [ // 'default' => 'https://example.com/csp-reports', ], /* * Headers will only be added if this setting is set to true. */ 'enabled' => env('CSP_ENABLED', true), /** * Headers will be added when Vite is hot reloading. */ 'enabled_while_hot_reloading' => env('CSP_ENABLED_WHILE_HOT_RELOADING', false), /* * The class responsible for generating the nonces used in inline tags and headers. */ 'nonce_generator' => Spatie\Csp\Nonce\RandomString::class, /* * Set false to disable automatic nonce generation and handling. * This is useful when you want to use 'unsafe-inline' for scripts/styles * and cannot add inline nonces. * Note that this will make your CSP policy less secure. */ 'nonce_enabled' => env('CSP_NONCE_ENABLED', true), ]; ``` You can add CSP headers to all responses of your app by registering `Spatie\Csp\AddCspHeaders::class` as global middleware in `bootstrap/app.php`. ``` use Spatie\Csp\AddCspHeaders; ->withMiddleware(function (Middleware $middleware) { $middleware->append(AddCspHeaders::class); }) ``` Alternatively you can apply the middleware on the route or route group level. ``` // In your routes file Route::get('my-page', 'MyController') ->middleware(AddCspHeaders::class); ``` You can also pass a preset class as a parameter to the middleware: ``` // In your routes file Route::get('my-page', 'MyController') ->middleware(AddCspHeaders::class . ':' . MyPreset::class); ``` The given preset will override the ones configured in the `config/csp.php` config file for that specific route or group of routes. Alternatively, you can register your CSP policies as a meta tag using our Blade directives. ``` {{-- app/layout.blade.php --}} @cspMetaTag ``` Usage ----- [](#usage) This package ships with a few commonly used presets to get your started. *We're happy to receive PRs for more services!* PolicyServices`Basic`Allow requests to scripts, images… within the application`AdobeFonts`[fonts.adobe.com](https://fonts.adobe.com) (previously typekit.com)`Alchemer Survey`[alchemer.com](https://www.alchemer.com)`Algolia`[algolia.com](https://www.algolia.com)`Bootstrap`[getbootstrap.com](https://getbootstrap.com)`Bunny Fonts`[fonts.bunny.net](https://fonts.bunny.net/)`Chargebee`[chargebee.com](https://www.chargebee.com/)`Cloudflare Cdn`[cloudflare.com](https://www.cloudflare.com/en-in/application-services/products/cdn/)`Cloudflare Turnstile`[cloudflare.com](https://www.cloudflare.com/application-services/products/turnstile/)`Cloudflare Web Analytics`[cloudflare.com](https://developers.cloudflare.com/web-analytics/)`Fathom`[usefathom.com](https://usefathom.com)`Google TLD's`Allow all Google Top Level Domains for 'connect' and 'image'`Google`Google Analytics & Tag Manager`GoogleFonts`[fonts.google.com](https://fonts.google.com)`GoogleLookerStudio`[lookerstudio.google.com](https://lookerstudio.google.com)`GoogleMaps`[maps.google.com](https://maps.google.com)`GoogleRecaptcha`[developers.google.com](https://developers.google.com/recaptcha)`Hcaptcha`[hcaptcha.com](https://docs.hcaptcha.com)`Heap Analytics`[heap.io](https://www.heap.io/)`Hireroad`[hireroad.com](https://hireroad.com)`Hotjar`[hotjar.com](https://help.hotjar.com/hc/en-us/articles/115011640307-Content-Security-Policies)`HubSpot`[hubspot.com](https://hubspot.com) (full suite)`Intercom`[intercom.com](https://intercom.com/)`JsDelivr`[jsdelivr.com](https://jsdelivr.com)`JQuery`[jquery.com](https://jquery.com)`Maze`[maze.co](https://maze.co)`Meta Pixel`[facebook.com](https://en-gb.facebook.com/business/tools/meta-pixel)`Microsoft Clarity`[clarity.microsoft.com](https://clarity.microsoft.com)`Plain`[plain.com](https://plain.com)`Plausible Analytics`[plausible.io](http://plausible.io/)`Posthog`[posthog.com](https://posthog.com/)`Rollbar`[posthog.com](https://docs.rollbar.com/docs/javascript)`Sentry`[sentry.io](https://sentry.io/)`Stripe`[stripe.com](https://stripe.com/)`SurveyMonkey`[surveymonkey.com](https://www.surveymonkey.com/)`TicketTailor`[tickettailor.com](https://www.tickettailor.com)`Tolt`[tolt.io](https://tolt.io)`TrackJS`[trackjs.com](https://trackjs.com)`Vimeo`[vimeo.com](https://vimeo.com)`Visual Website Optimizer`[vwo.com](https://vwo.com)`Whereby`[whereby.com](https://whereby.com)Register the presets you want to use for your application in `config/csp.php` under the `presets` or `report_only_presets` key. If you have app-specific needs or the service you're integrated isn't included in this package, you can create your own preset as explained below. You can also register global directives in the configuration file using a tuple notation. ``` 'directives' => [ [Directive::SCRIPT, Keyword::UNSAFE_EVAL], ], 'report_only_directives' => [ [Directive::SCRIPT, Keyword::UNSAFE_INLINE], ], ``` Here you may also create multiple directive & value combinations by padding multiple values in the tuple. ``` 'directives' => [ [[Directive::SCRIPT, Directive::STYLE], [Keyword::UNSAFE_EVAL, Keyword::UNSAFE_INLINE]], ], ``` Creating a preset ----------------- [](#creating-a-preset) An example of a CSP directive is `script-src`. If this has the value `'self' www.google.com` then your site can only load scripts from its own domain or `www.google.com`. You'll find [a list with all CSP directives](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/#Directives) at Mozilla's excellent developer site. According to the spec certain directive values need to be surrounded by quotes. Examples of this are `'self'`, `'none'` and `'unsafe-inline'`. When using `add` function you're not required to surround the directive value with quotes manually. We will automatically add quotes. Script/style hashes, as well, will be auto-detected and surrounded with quotes. ``` public function configure(Policy $policy): void { $policy // Will output `'self'` when outputting headers ->add(Directive::SCRIPT, Keyword::SELF) // Will output `'sha256-hash'` when outputting headers ->add(Directive::STYLE, 'sha256-hash'); } ``` You may also use the same keywords for multiple directives by passing an array of directives. ``` public function configure(Policy $policy): void { $policy->add([Directive::SCRIPT, DIRECTIVE::STYLE], 'www.google.com'); } ``` Or multiple keywords for one or more directives. ``` public function configure(Policy $policy): void { $policy ->add(Directive::SCRIPT, [Keyword::UNSAFE_EVAL, Keyword::UNSAFE_INLINE]) ->add([Directive::SCRIPT, DIRECTIVE::STYLE], ['www.google.com', 'analytics.google.com']); } ``` There are also a few cases where you don't have to or don't need to specify a value, eg. upgrade-insecure-requests, ... In this case you can use the following value: ``` public function configure(Policy $policy): void { $policy ->add(Directive::UPGRADE_INSECURE_REQUESTS, Value::NO_VALUE); } ``` This will output a CSP like this: ``` Content-Security-Policy: upgrade-insecure-requests ``` The `presets` key of the `csp` config file is set to `[\Spatie\Csp\Presets\Basic::class]` by default. This class allows your site to only use images, scripts, form actions of your own site. ``` namespace Spatie\Csp\Presets; use Spatie\Csp\Directive; use Spatie\Csp\Keyword; use Spatie\Csp\Policy; use Spatie\Csp\Preset; class Basic implements Preset { public function configure(Policy $policy): void { $policy ->add(Directive::BASE, Keyword::SELF) ->add(Directive::CONNECT, Keyword::SELF) ->add(Directive::DEFAULT, Keyword::SELF) ->add(Directive::FORM_ACTION, Keyword::SELF) ->add(Directive::IMG, Keyword::SELF) ->add(Directive::MEDIA, Keyword::SELF) ->add(Directive::OBJECT, Keyword::NONE) ->add(Directive::SCRIPT, Keyword::SELF) ->add(Directive::STYLE, Keyword::SELF) ->addNonce(Directive::SCRIPT) ->addNonce(Directive::STYLE); } } ``` You can allow fetching scripts from `www.google.com` by writing a custom preset. ``` namespace App\Support; use Spatie\Csp\Directive; use Spatie\Csp\Keyword; use Spatie\Csp\Policy; use Spatie\Csp\Preset; class MyCspPreset implements Preset { public function configure(Policy $policy): void { $policy->add(Directive::SCRIPT, 'www.google.com'); } } ``` Don't forget to update the `presets` key in the `csp` config file to the class name of your preset. ``` 'presets' => [ Spatie\Csp\Presets\Basic::class, App\Support\MyCspPreset::class, ], ``` ### Using inline scripts and styles [](#using-inline-scripts-and-styles) When using CSP you must specifically allow the use of inline scripts or styles. The recommended way of doing that with this package is to use a `nonce`. A nonce is a number that is unique per request. The nonce must be specified in the CSP headers and in an attribute on the html tag. This way an attacker has no way of injecting malicious scripts or styles. First you must add the nonce to the right directives in your policy: ``` public function configure(Policy $policy): void { $policy // alternatively use Keyword::STRICT_DYNAMIC on Livewire or Inertia.js ->add(Directive::SCRIPT, Keyword::SELF) ->add(Directive::STYLE, Keyword::SELF) ->addNonce(Directive::SCRIPT) ->addNonce(Directive::STYLE); } ``` Next add the nonce to style and script tags: ``` ... ... ``` To pass or retrieve the nonce for directives that generate scripts dynamically, use `app('csp-nonce')`: ``` @googlefonts(['nonce' => app('csp-nonce')]) ``` There are few other options to use inline styles and scripts. Take a look at the [CSP docs on the Mozilla developer site](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src) to know more. ### Integration with Vite [](#integration-with-vite) When building assets, the Laravel Vite plugin can [handle nonce](https://laravel.com/docs/12.x/vite#content-security-policy-csp-nonce), that can be generated with `Vite::useCspNonce()` and retrieved using `Vite::cspNonce()`: ``` namespace App\Support; use Illuminate\Support\Facades\Vite; use Spatie\Csp\Nonce\NonceGenerator; class LaravelViteNonceGenerator implements NonceGenerator { public function generate(): string { return Vite::useCspNonce(); } } ``` Alternatively, you can instruct Vite to use a specific nonce value: ``` namespace App\Support; use Illuminate\Support\Str; use Illuminate\Support\Facades\Vite; use Spatie\Csp\Nonce\NonceGenerator; class LaravelViteNonceGenerator implements NonceGenerator { public function generate(): string { // Determine the value for `$myNonce` however you want $myNonce = ''; return Vite::useCspNonce($myNonce); } } ``` The generated nonce should be a **base64-value** derived from at least **16 bytes of secure random data**This limits the character set to characters safe for use in HTML attributes and HTTP headers. For more details, see the [W3C Content Security Policy Level 3 specification](https://www.w3.org/TR/CSP3/#grammardef-base64-value). Change the default `nonce_generator` key of the `config/csp.php` config file to the Vite nonce generator: ``` /* * The class responsible for generating the nonces used in inline tags and headers. */ 'nonce_generator' => App\Support\LaravelViteNonceGenerator::class, ``` The Vite nonce value will now be used when you call `app('csp-nonce')` or `Vite::cspNonce()`. ### Outputting a CSP Policy as a meta tag [](#outputting-a-csp-policy-as-a-meta-tag) In rare circumstances, a large site may have so many external connections that the CSP header actually exceeds the max header size. Or you might be generating a static page with Laravel and don't have control over the headers when the response is sent. Thankfully, the [CSP specification](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#using_the_html_meta_element) allows for outputting information as a meta tag in the head of a webpage. This package provides a `@cspMetaTag` blade directive that you may place in the `` of your site. This will render a header for all configured presets (both default and report-only). ``` @cspMetaTag ``` You may also use this tag to render a specific preset. ``` @cspMetaTag(App\Support\MyCustomPreset::class) ``` Or use the `@cspMetaTagReportOnly` tag to render a specific preset in report-only mode. ``` @cspMetaTagReportOnly(App\Support\MyCustomPreset::class) ``` ### Reporting CSP errors [](#reporting-csp-errors) #### In the browser [](#in-the-browser) Instead of outright blocking all violations, you can put configure a CSP policy in report only mode by registering presets in the `report_only_presets` configuration option. In this case all requests will be made, but all violations will display in your favourite browser's console. #### To an external url [](#to-an-external-url) Any violations against the policy can be reported to a given url. There are two CSP directives for this: - `report-uri`: the original directive. It is deprecated, but still supported by most browsers. Set the url in the `report_uri` key of the `csp` config file. - `report-to`: the modern replacement. It points to a named endpoint defined in the `Reporting-Endpoints` HTTP header. Set the endpoint name in the `report_to` key, and define the endpoint url in the `reporting_endpoints` array. While the new directive is rolling out across browsers, you can configure both at the same time. Older browsers will use `report-uri`, newer ones will use `report-to`. ``` // config/csp.php 'report_uri' => env('CSP_REPORT_URI', 'https://example.com/csp-reports'), 'report_to' => env('CSP_REPORT_TO', 'default'), 'reporting_endpoints' => [ 'default' => 'https://example.com/csp-reports', ], ``` A great service that is specifically built for handling these violation reports is . If you are running an enforcing and a report-only policy side-by-side and need them to report to different endpoints (for example, report-uri.com requires `/enforce` for `Content-Security-Policy` and `/reportOnly` for `Content-Security-Policy-Report-Only`), you can configure `report_only_uri` and/or `report_only_to`: ``` // config/csp.php 'report_uri' => env('CSP_REPORT_URI', 'https://example.report-uri.com/r/d/csp/enforce'), 'report_only_uri' => env('CSP_REPORT_ONLY_URI', 'https://example.report-uri.com/r/d/csp/reportOnly'), ``` When `report_only_uri` (or `report_only_to`) is empty, the report-only policy reuses `report_uri` (or `report_to`). ### Testing [](#testing) You can run all the tests with: ``` composer test ``` ### Changelog [](#changelog) Please see [CHANGELOG](CHANGELOG.md) for more information what has changed recently. Contributing ------------ [](#contributing) Please see [CONTRIBUTING](https://github.com/spatie/.github/blob/main/CONTRIBUTING.md) for details. ### Security [](#security) If you've found a bug regarding security please mail instead of using the issue tracker. Credits ------- [](#credits) - [Freek Van der Herten](https://github.com/freekmurze) - [Sebastian De Deyne](https://github.com/sebastiandedeyne) - [Thomas Verhelst](https://github.com/TVke) - [All Contributors](../../contributors) License ------- [](#license) The MIT License (MIT). Please see [License File](LICENSE.md) for more information. ### Health Score 78 — ExcellentBetter than 100% of packages Maintenance92 Actively maintained with recent releases Popularity70 Solid adoption and visibility Community41 Growing community involvement Maturity93 Battle-tested with a long release history Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~37 days Total 79 Last Release 87d ago Major Versions 0.0.6 → 1.0.02018-02-20 v1.x-dev → 2.0.02018-11-05 v2.x-dev → 3.0.02025-03-11 PHP version history (7 changes)0.0.1PHP ^7.1 1.0.5PHP ^7.0 2.2.0PHP ^7.2 2.6.4PHP ^7.2|^8.0 2.7.0PHP ^8.0 2.9.0PHP ^8.1 3.0.0PHP ^8.3 ### Community Maintainers ![](https://avatars.githubusercontent.com/u/7535935?v=4)[Spatie](/maintainers/spatie)[@spatie](https://github.com/spatie) --- Top Contributors [![freekmurze](https://avatars.githubusercontent.com/u/483853?v=4)](https://github.com/freekmurze "freekmurze (152 commits)")[![sebastiandedeyne](https://avatars.githubusercontent.com/u/1561079?v=4)](https://github.com/sebastiandedeyne "sebastiandedeyne (72 commits)")[![chinmaypurav](https://avatars.githubusercontent.com/u/70144052?v=4)](https://github.com/chinmaypurav "chinmaypurav (15 commits)")[![TVke](https://avatars.githubusercontent.com/u/15680337?v=4)](https://github.com/TVke "TVke (11 commits)")[![ziadoz](https://avatars.githubusercontent.com/u/645637?v=4)](https://github.com/ziadoz "ziadoz (10 commits)")[![moebrowne](https://avatars.githubusercontent.com/u/8448512?v=4)](https://github.com/moebrowne "moebrowne (9 commits)")[![christianschoenmakers](https://avatars.githubusercontent.com/u/14851445?v=4)](https://github.com/christianschoenmakers "christianschoenmakers (8 commits)")[![atomicjam](https://avatars.githubusercontent.com/u/5812359?v=4)](https://github.com/atomicjam "atomicjam (7 commits)")[![AdrianMrn](https://avatars.githubusercontent.com/u/12762044?v=4)](https://github.com/AdrianMrn "AdrianMrn (7 commits)")[![Gummibeer](https://avatars.githubusercontent.com/u/6187884?v=4)](https://github.com/Gummibeer "Gummibeer (4 commits)")[![rubenvanassche](https://avatars.githubusercontent.com/u/619804?v=4)](https://github.com/rubenvanassche "rubenvanassche (4 commits)")[![ndeblauw](https://avatars.githubusercontent.com/u/4344869?v=4)](https://github.com/ndeblauw "ndeblauw (4 commits)")[![bashgeek](https://avatars.githubusercontent.com/u/4669888?v=4)](https://github.com/bashgeek "bashgeek (4 commits)")[![laravel-shift](https://avatars.githubusercontent.com/u/15991828?v=4)](https://github.com/laravel-shift "laravel-shift (4 commits)")[![jackbayliss](https://avatars.githubusercontent.com/u/13621738?v=4)](https://github.com/jackbayliss "jackbayliss (3 commits)")[![ohiader](https://avatars.githubusercontent.com/u/21202712?v=4)](https://github.com/ohiader "ohiader (3 commits)")[![nessimabadi](https://avatars.githubusercontent.com/u/11637110?v=4)](https://github.com/nessimabadi "nessimabadi (3 commits)")[![nathan818fr](https://avatars.githubusercontent.com/u/10061173?v=4)](https://github.com/nathan818fr "nathan818fr (2 commits)")[![AlexVanderbist](https://avatars.githubusercontent.com/u/6287961?v=4)](https://github.com/AlexVanderbist "AlexVanderbist (2 commits)")[![IlCallo](https://avatars.githubusercontent.com/u/10036108?v=4)](https://github.com/IlCallo "IlCallo (2 commits)") --- Tags csphttplaravelrequestsecurityspatielaravelsecurityheaderscspcontent-security-policylaravel-csp ### Code Quality TestsPest ### Embed Badge ![Health badge](/badges/spatie-laravel-csp/health.svg) ``` [![Health](https://phpackages.com/badges/spatie-laravel-csp/health.svg)](https://phpackages.com/packages/spatie-laravel-csp) ``` ### Alternatives [spatie/laravel-responsecache Speed up a Laravel application by caching the entire response 2.8k8.2M51](/packages/spatie-laravel-responsecache)[spatie/laravel-ciphersweet Use ciphersweet in your Laravel project 416718.4k1](/packages/spatie-laravel-ciphersweet)[tzsk/otp A secure, database-free One-Time Password (OTP) generator and verifier for PHP and Laravel. 241641.4k1](/packages/tzsk-otp)[mazedlx/laravel-feature-policy Add Feature-Policy headers to the responses of a Laravel app 17180.5k](/packages/mazedlx-laravel-feature-policy)[stevenmaguire/laravel-middleware-csp Provides support for enforcing Content Security Policy with headers in Laravel responses. 39107.6k](/packages/stevenmaguire-laravel-middleware-csp)[laragear/poke Keep your forms alive, avoid TokenMismatchException by gently poking your Laravel app 2211.5k](/packages/laragear-poke) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)