bepsvpt/secure-headers

The right way to config

Masoud180 opened this issue · 8 comments

Hi
I'm new in Laravel and I have some questions about your package.
I added
\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,
to $middlewarePriority in Kernel.php
Is that right?
And what should I write in secure-headers.php?
And how can I be sure that I configured it in the right way?
I'm using Laravel 5.8.
Thanks in advanced.

Hi @Masoud180 ,

I added
\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,
to $middlewarePriority in Kernel.php
Is that right?

You need to add it to $middleware in app/Http/Kernel.php file. $middlewarePriority is used to specific the order when middlewares are assigned to the route.

And what should I write in secure-headers.php?

Use HTTP Strict Transport Security for example, if you want to enable HTTP Strict Transport Security, you can change enable value from false to true at here.

Each section has reference link in comment block(example), you can check that link for further information. Some headers will broke the page when they are configured incorrectly. Thus, I will sugguest you check out the reference link before setting it up.

And how can I be sure that I configured it in the right way?

You can use php artisan serve to start PHP development server and open browser developer tools to check whether the response header is configured correctly or not.

Thank you so much.

If you have any other questions, feel free to comment on this issue.

Thanks
While I was checking that, I came up with a question.
In secure-headers.php, server parameter is null ('') but I can see my real server details in http header and it doesn't change it.
And also x-xss-protection doesn't exist on header response!
What should I do to apply them?

In secure-headers.php, server parameter is null ('') but I can see my real server details in http header and it doesn't change it.

When server is empty string, it will not add to response header(#1). If you want to change this header, you should assign a value to it.

And also x-xss-protection doesn't exist on header response!

Could you provide more information about this problem?

Thanks
x-xss-protection is fixed. but server is still displaying real details.
I set this to another string but still not working.
2019-05-16 14_19_39-ورود به پنل کاربری
2019-05-16 14_20_50-secure-headers php - cPanel File Manager v3

Not all web server services support setting server header. This header only tested on Laravel Homestead and Nginx. Sorry for not mention this on config file comment.

Thank you so much.