PHPackages                             zaxbux/wn-securityheaders-plugin - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Security](/categories/security)
4. /
5. zaxbux/wn-securityheaders-plugin

ActiveWinter-plugin[Security](/categories/security)

zaxbux/wn-securityheaders-plugin
================================

Easily configure HTTP response headers to increase site security.

v1.0.6(4y ago)4114MITPHPPHP ^7.4

Since May 18Pushed 4y ago1 watchersCompare

[ Source](https://github.com/zaxbux/wn-securityheaders-plugin)[ Packagist](https://packagist.org/packages/zaxbux/wn-securityheaders-plugin)[ Docs](https://github.com/zaxbux/wn-securityheaders-plugin)[ RSS](/packages/zaxbux-wn-securityheaders-plugin/feed)WikiDiscussions master Synced 3w ago

READMEChangelog (5)Dependencies (1)Versions (6)Used By (0)

Security Headers
================

[](#security-headers)

[![GitHub](https://camo.githubusercontent.com/60ead32f8a63e2fb40f422dff50b75e01b85d670e3af24fbeda4418479c11ce4/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f7a61786275782f776e2d7365637572697479686561646572732d706c7567696e)](https://camo.githubusercontent.com/60ead32f8a63e2fb40f422dff50b75e01b85d670e3af24fbeda4418479c11ce4/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f7a61786275782f776e2d7365637572697479686561646572732d706c7567696e)[![Packagist PHP Version Support](https://camo.githubusercontent.com/1e2c1f5c571fa93373537996a7e1d440bbfa57377658679b39a6b25580c17ed2/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f7a61786275782f776e2d7365637572697479686561646572732d706c7567696e)](https://camo.githubusercontent.com/1e2c1f5c571fa93373537996a7e1d440bbfa57377658679b39a6b25580c17ed2/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f7a61786275782f776e2d7365637572697479686561646572732d706c7567696e)[![GitHub tag (latest by date)](https://camo.githubusercontent.com/779dba46d22911689829f4450a722a0819423d17b2192a292453f06ba945c33d/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f7461672f7a61786275782f776e2d7365637572697479686561646572732d706c7567696e)](https://camo.githubusercontent.com/779dba46d22911689829f4450a722a0819423d17b2192a292453f06ba945c33d/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f7461672f7a61786275782f776e2d7365637572697479686561646572732d706c7567696e)[![Packagist Version](https://camo.githubusercontent.com/f33127aef9d0799e841e04d25ce3100763d738b94a4d0d3bd3320d0e46bc3412/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7a61786275782f776e2d7365637572697479686561646572732d706c7567696e)](https://camo.githubusercontent.com/f33127aef9d0799e841e04d25ce3100763d738b94a4d0d3bd3320d0e46bc3412/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f7a61786275782f776e2d7365637572697479686561646572732d706c7567696e)

This Winter CMS plugin allows you to manage a variety of security HTTP headers for your application.

See your score at [securityheaders.com](https://securityheaders.com/)

CSP Nonce
---------

[](#csp-nonce)

This plugin generates a cryptographic nonce (128 bits, base64 encoded) for each HTTP response. To use the CSP nonce, enable the `'nonce'` source for a CSP directive and include the `CSPNonce` component on the layout or page you want to apply the nonce. A page variable named `csp_conce` will contain the base64 encoded nonce.

```

	// ...

```

In Case Things Break
--------------------

[](#in-case-things-break)

Enabling the Content Security Policy header or the Strict Transport Security (HSTS) header could break your site if they're not setup properly. In each case, there is a command to disable the headers.

To disable the CSP from the console:

```
artisan securityheaders:disable_csp

```

To disable HSTS from the console:

```
artisan securityheaders:disable_hsts

```

Headers by Controller
---------------------

[](#headers-by-controller)

Different headers are applied to different routes, based on the controller used. The **System** and **Backend** controllers have limited security headers to avoid breaking functionality. For exmaple, the backend would require adding the `unsafe-inline` directive, effectivley making a CSP policy useless, so that header is not added.

### System

[](#system)

The `System\Classes\SystemController` controller handles asset combining. These are the headers that may be sent:

- Strict-Transport-Security
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection

### Backend

[](#backend)

The `Backend\Classes\BackendController` controller handles the backend CMS. These are the headers that may be sent:

- Strict-Transport-Security
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection

### CMS

[](#cms)

The `Cms\Classes\CmsController` controller handles the frontend. These are the headers that may be sent:

- Strict-Transport-Security
- Referrer-Policy
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection
- Feature-Policy

---

Obselete Headers
----------------

[](#obselete-headers)

These headers are available for configuration in case legacy browsers need to be supported, but they are not recomended if you only support current browser verions.

### X-Frame-Options

[](#x-frame-options)

The `X-Frame-Options` header has been obsoleted by the `frame-ancestors` directive from CSP Level 2 for supporting browsers.

### X-XSS-Protection

[](#x-xss-protection)

This header is non-standard and support has been removed (or will never be present) in a majority of browsers. You can achieve better protection using a **Content Security Policy**. Currently supported in IE 11 and Safari ([caniuse.com](https://caniuse.com/#feat=mdn-http_headers_x-xss-protection)).

- [Never implemented in Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=528661)
- [Removed in Chrome 78](https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/TuYw-EZhO9g/blGViehIAwAJ)
- [Removed from Edge](https://blogs.windows.com/windowsexperience/2018/07/25/announcing-windows-10-insider-preview-build-17723-and-build-18204/)

###  Health Score

28

—

LowBetter than 52% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity11

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity60

Established project with proven stability

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~193 days

Total

5

Last Release

1463d ago

PHP version history (2 changes)v1.0.1PHP 7

1.0.5PHP ^7.4

### Community

Maintainers

![](https://www.gravatar.com/avatar/7ae032d25f619273beec8d59f00b482942ed8649eb274f5d310ef6dc30bd84eb?d=identicon)[zaxbux](/maintainers/zaxbux)

---

Top Contributors

[![zaxbux](https://avatars.githubusercontent.com/u/5186921?v=4)](https://github.com/zaxbux "zaxbux (51 commits)")

---

Tags

content-security-policyhstssecuritywintercmswintercms-plugincspcontent-security-policyxss

### Embed Badge

![Health badge](/badges/zaxbux-wn-securityheaders-plugin/health.svg)

```
[![Health](https://phpackages.com/badges/zaxbux-wn-securityheaders-plugin/health.svg)](https://phpackages.com/packages/zaxbux-wn-securityheaders-plugin)
```

###  Alternatives

[spatie/laravel-csp

Add CSP headers to the responses of a Laravel app

86611.1M25](/packages/spatie-laravel-csp)[helsingborg-stad/municipio

A bootstrap theme for creating municipality sites.

4028.5k10](/packages/helsingborg-stad-municipio)[aidantwoods/secureheaders

A PHP class aiming to make the use of browser security features more accessible.

434731.2k2](/packages/aidantwoods-secureheaders)[paragonie/csp-builder

Easily add and update Content-Security-Policy headers for your project

5413.0M26](/packages/paragonie-csp-builder)[born05/craft-csp

Content Security Policy (or CSP) generator using nonces.

1110.4k](/packages/born05-craft-csp)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
