Skip to content

Instantly share code, notes, and snippets.

@chetans9

chetans9/SecureHeadersMiddleware.php

Last active February 15, 2024 13:26
Show Gist options
  • Star 8 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save chetans9/e07fb1db00caf1f11ee38a9e03514c5c to your computer and use it in GitHub Desktop.
Save chetans9/e07fb1db00caf1f11ee38a9e03514c5c to your computer and use it in GitHub Desktop.
Download ZIP
Laravel Secure Headers Middleware
Raw
SecureHeadersMiddleware.php
<?php
namespace App\Http\Middleware;
use Closure;
class SecureHeadersMiddleware
{
// Enumerate headers which you do not want in your application's responses.
// Great starting point would be to go check out @Scott_Helme's:
// https://securityheaders.com/
private $unwantedHeaderList = [
'X-Powered-By',
'Server',
];
public function handle($request, Closure $next)
{
$this->removeUnwantedHeaders($this->unwantedHeaderList);
$response = $next($request);
$response->headers->set('Referrer-Policy', 'no-referrer-when-downgrade');
$response->headers->set('X-Content-Type-Options', 'nosniff');
$response->headers->set('X-XSS-Protection', '1; mode=block');
$response->headers->set('X-Frame-Options', 'DENY');
$response->headers->set('Strict-Transport-Security', 'max-age:31536000; includeSubDomains');
$response->headers->set('Content-Security-Policy', "style-src 'self'");
return $response;
}
private function removeUnwantedHeaders($headerList)
{
foreach ($headerList as $header)
header_remove($header);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment