The right way to config
Masoud180 opened this issue · 8 comments
Hi
I'm new in Laravel and I have some questions about your package.
I added
\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,
to $middlewarePriority in Kernel.php
Is that right?
And what should I write in secure-headers.php?
And how can I be sure that I configured it in the right way?
I'm using Laravel 5.8.
Thanks in advanced.
Hi @Masoud180 ,
I added
\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class,
to $middlewarePriority in Kernel.php
Is that right?
You need to add it to $middleware
in app/Http/Kernel.php
file. $middlewarePriority
is used to specific the order when middlewares are assigned to the route.
And what should I write in secure-headers.php?
Use HTTP Strict Transport Security
for example, if you want to enable HTTP Strict Transport Security
, you can change enable
value from false
to true
at here.
Each section has reference link in comment block(example), you can check that link for further information. Some headers will broke the page when they are configured incorrectly. Thus, I will sugguest you check out the reference link before setting it up.
And how can I be sure that I configured it in the right way?
You can use php artisan serve
to start PHP development server and open browser developer tools to check whether the response header is configured correctly or not.
Thank you so much.
If you have any other questions, feel free to comment on this issue.
Thanks
While I was checking that, I came up with a question.
In secure-headers.php, server parameter is null ('') but I can see my real server details in http header and it doesn't change it.
And also x-xss-protection doesn't exist on header response!
What should I do to apply them?
In secure-headers.php, server parameter is null ('') but I can see my real server details in http header and it doesn't change it.
When server
is empty string, it will not add to response header(#1). If you want to change this header, you should assign a value to it.
And also x-xss-protection doesn't exist on header response!
Could you provide more information about this problem?
Not all web server services support setting server
header. This header only tested on Laravel Homestead and Nginx. Sorry for not mention this on config file comment.
Thank you so much.