Skip to content

Instantly share code, notes, and snippets.

@usamamuneerchaudhary
Last active June 24, 2020 03:22
Show Gist options
  • Save usamamuneerchaudhary/be576347d7a59de0fe58c1488974b595 to your computer and use it in GitHub Desktop.
Save usamamuneerchaudhary/be576347d7a59de0fe58c1488974b595 to your computer and use it in GitHub Desktop.
Laravel HTTP Security Headers config file
<?php
$protocol = 'https://';
if ( ! isset( $_SERVER['HTTPS'] ) || $_SERVER['HTTPS'] == 'off' ) {
$protocol = 'http://';
}
return [
'x-content-type-options' => 'nosniff',
'x-download-options' => 'noopen',
'x-frame-options' => 'sameorigin',
'x-permitted-cross-domain-policies' => 'none',
'x-xss-protection' => '1; mode=block',
'referrer-policy' => 'unsafe-url',
'hsts' => [
'enable' => env( 'SECURITY_HEADER_HSTS_ENABLE', false ),
'max-age' => 31536000,
'include-sub-domains' => true,
],
'hpkp' => [
'hashes' => false,
'include-sub-domains' => false,
'max-age' => 15552000,
'report-only' => false,
'report-uri' => null,
],
'custom-csp' => env( 'SECURITY_HEADER_CUSTOM_CSP', null ),
'csp' => [
'report-only' => false,
'report-uri' => env( 'CONTENT_SECURITY_POLICY_REPORT_URI', false ),
'upgrade-insecure-requests' => false,
'default-src' => [
'allow' => [
$protocol . 'www.google.com',
$protocol . 'www.youtube.com',
$protocol . 'www.gstatic.com',
//add other sources if using
],
'self' => true,
],
'script-src' => [
'allow' => [
$protocol . 'www.google.com',
$protocol . 'ajax.googleapis.com',
$protocol . 'code.jquery.com',
$protocol . 'www.googletagmanager.com',
$protocol . 'www.google-analytics.com',
$protocol . 'www.gstatic.com',
$protocol . 'cdnjs.cloudflare.com',
$protocol . 'www.youtube.com',
$protocol . 'cdn.jsdelivr.net',
//add other script sources if using
],
'self' => true,
'unsafe-inline' => true,
'unsafe-eval' => true,
'data' => true,
],
'style-src' => [
'allow' => [
$protocol . 'fonts.googleapis.com',
$protocol . 'www.google.com',
//add other style sources if using
],
'self' => true,
'unsafe-inline' => true,
],
'img-src' => [
'allow' => [
$protocol . 'www.google-analytics.com',
//add other img sources if using
],
'self' => true,
'data' => true,
],
'font-src' => [
'allow' => [
$protocol . 'fonts.gstatic.com',
//add other font sources if using
],
'self' => true,
'data' => true,
],
'object-src' => [
'allow' => [],
'self' => false,
],
],
];
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment