After setup for laravel, Content-Security-Policy header is not generated
hyquoccuong opened this issue · 6 comments
I see csp is enabled in config file secure-headers.php
/*
* Content Security Policy
*
* Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
*/
'csp' => [
'enable' => true,
But in header of my site Content-Security-Policy header is not generated
Results from https://securityheaders.com
Missing Headers
Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
How do I enable this header?
I tried some config here but it is not generated
https://barryvanveen.nl/blog/35-how-to-configure-security-headers-for-laravel
Did you add the middleware to app/Http/Kernel.php?
You can visit https://github.com/bepsvpt/secure-headers#laravel-project to check it.
yep I added this to kernel
protected $middleware = [
\Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode::class,
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
\App\Http\Middleware\TrimStrings::class,
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
\App\Http\Middleware\TrustProxies::class,
\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class, //https://github.com/bepsvpt/secure-headers
];
Other security headers are enabled, includes Strict-Transport-Security after I enable it
...
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:3128
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-Powered-By: PHP/7.2.28
X-XSS-Protection: 1; mode=block
After I update some options in config file secure-headers.php, now it enabled
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri
'base-uri' => [
'self' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
'frame-ancestors' => [
'self' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
'object-src' => [
'none' => true,
],
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
'script-src' => [
'none' => true,
]
Now I got grade A+ for my site on https://securityheaders.com/
Thanks for great plugin!
Hi,
having a similar issue.
I need to set the frame-ancestors directive to multiple URIs. But it seems only this seems to work.
'frame-ancestors' => [ 'self' => true, ],
I tried to add it like:
'frame-ancestors' => [ 'URI1' => true, 'URI2' => true, ],
doesnt work.
Also tried some other ways.
Do you know a solution to add multiple URIs other than just specifying self?
Hi, having a similar issue. I need to set the
frame-ancestorsdirective to multiple URIs. But it seems only this seems to work.'frame-ancestors' => [ 'self' => true, ],I tried to add it like:
'frame-ancestors' => [ 'URI1' => true, 'URI2' => true, ],doesnt work. Also tried some other ways.Do you know a solution to add multiple URIs other than just specifying self?
'frame-ancestors' => [
'allow' => [
env('CUSTOM_CORS_DOMAIN'),
//...
],
],