├── LICENCE ├── README.md ├── composer.json ├── config └── headers.php ├── phpstan.neon ├── phpunit.xml ├── pint.json └── src ├── Http └── Middleware │ ├── CertificateTransparencyPolicy.php │ ├── ContentTypeOptions.php │ ├── PermissionsPolicy.php │ ├── RemoveHeaders.php │ ├── SetReferrerPolicy.php │ └── StrictTransportSecurity.php └── Providers └── PackageServiceProvider.php /LICENCE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) Treblle Limited. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 |

3 |

4 |

5 | 6 | # Treblle Security Headers 7 | 8 | Integrations 9 | • 10 | Website 11 | • 12 | Docs 13 | • 14 | Blog 15 | • 16 | Twitter 17 | • 18 | Discord 19 |
20 | 21 |

22 |

23 | 24 | [![Latest Version](https://img.shields.io/packagist/v/treblle/security-headers)](https://packagist.org/packages/treblle/security-headers) 25 | [![Total Downloads](https://img.shields.io/packagist/dt/treblle/security-headers)](https://packagist.org/packages/treblle/security-headers) 26 | [![MIT Licence](https://img.shields.io/packagist/l/treblle/security-headers)](LICENSE) 27 | [![Tests](https://github.com/treblle/security-headers/actions/workflows/tests.yml/badge.svg)](https://github.com/treblle/security-headers/actions/workflows/tests.yml) 28 | 29 | Treblle makes it super easy to understand what’s going on with your APIs and the apps that use them. Just by adding 30 | Treblle to your API out of the box you get: 31 | 32 | * Real-time API monitoring and logging 33 | * Auto-generated API docs with OAS support 34 | * API analytics 35 | * Quality scoring 36 | * One-click testing 37 | * API management on the go 38 | * and more... 39 | 40 | ## Requirements 41 | 42 | * PHP 8.2 43 | 44 | ## Installation 45 | 46 | You can install Treblle Security Headers via [Composer](http://getcomposer.org/). Simply run the following command: 47 | 48 | ```bash 49 | composer require treblle/security-headers 50 | ``` 51 | 52 | ## Getting started 53 | 54 | To start, you need to publish the configuration. 55 | 56 | ```bash 57 | php artisan vendor:publish --provider="Treblle\SecurityHeaders\Providers\PackageServiceProvider" --tag="security-headers" 58 | ``` 59 | 60 | This is the default content of the config file that will be published at `config/headers.php`: 61 | 62 | ```php 63 | return [ 64 | 'remove' => [ 65 | 'X-Powered-By', 66 | 'x-powered-by', 67 | 'Server', 68 | 'server', 69 | ], 70 | 71 | 'referrer-policy' => 'no-referrer-when-downgrade', 72 | 73 | 'strict-transport-security' => 'max-age=31536000; includeSubDomains', 74 | 75 | 'certificate-transparency' => 'enforce, max-age=30', 76 | 77 | 'permissions-policy' => 'autoplay=(self), camera=(), encrypted-media=(self), fullscreen=(), geolocation=(self), gyroscope=(self), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(self), usb=()', 78 | 79 | 'content-type-options' => 'nosniff', 80 | ]; 81 | ``` 82 | 83 | ## Community 💙 84 | 85 | First and foremost: **Star and watch this repository** to stay up-to-date. 86 | 87 | Also, follow our [Blog](https://blog.treblle.com), and on [Twitter](https://twitter.com/treblleapi). 88 | 89 | You can chat with the team and other members on [Discord](https://treblle.com/chat) and follow our tutorials and other video material at [YouTube](https://youtube.com/@treblle). 90 | 91 | [![Treblle Discord](https://img.shields.io/badge/Treblle%20Discord-Join%20our%20Discord-F3F5FC?labelColor=7289DA&style=for-the-badge&logo=discord&logoColor=F3F5FC&link=https://treblle.com/chat)](https://treblle.com/chat) 92 | 93 | [![Treblle YouTube](https://img.shields.io/badge/Treblle%20YouTube-Subscribe%20on%20YouTube-F3F5FC?labelColor=c4302b&style=for-the-badge&logo=YouTube&logoColor=F3F5FC&link=https://youtube.com/@treblle)](https://youtube.com/@treblle) 94 | 95 | [![Treblle on Twitter](https://img.shields.io/badge/Treblle%20on%20Twitter-Follow%20Us-F3F5FC?labelColor=1DA1F2&style=for-the-badge&logo=Twitter&logoColor=F3F5FC&link=https://twitter.com/treblleapi)](https://twitter.com/treblleapi) 96 | 97 | ### How to contribute 98 | 99 | Here are some ways of contributing to making Treblle better: 100 | 101 | - **[Try out Treblle](https://docs.treblle.com/en/introduction#getting-started)**, and let us know ways to make Treblle better for you. Let us know here on [Discord](https://treblle.com/chat). 102 | - Join our [Discord](https://treblle.com/chat) and connect with other members to share and learn from. 103 | - Send a pull request to any of our [open source repositories](https://github.com/treblle) on Github. Check the contribution guide on the repo you want to contribute to for more details about how to contribute. We're looking forward to your contribution! 104 | 105 | ### Contributors 106 | 107 |

108 | A table of avatars from the project's contributors 109 |

110 | 111 | -------------------------------------------------------------------------------- /composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "treblle/security-headers", 3 | "description": "A collection of HTTP middleware classes to improve the security headers in your Laravel application.", 4 | "homepage": "https://www.treblle.com/", 5 | "license": "MIT", 6 | "keywords": [ 7 | "api", 8 | "debuging", 9 | "documentation", 10 | "laravel", 11 | "monitoring", 12 | "treblle" 13 | ], 14 | "type": "library", 15 | "authors": [ 16 | { 17 | "role": "Developer", 18 | "name": "Steve McDougall", 19 | "email": "juststevemcd@gmail.com", 20 | "homepage": "https://www.juststeveking.uk/" 21 | } 22 | ], 23 | "autoload": { 24 | "psr-4": { 25 | "Treblle\\SecurityHeaders\\": "src/" 26 | } 27 | }, 28 | "autoload-dev": { 29 | "psr-4": { 30 | "Treblle\\SecurityHeaders\\Tests\\": "tests/" 31 | } 32 | }, 33 | "require": { 34 | "php": "^8.2" 35 | }, 36 | "require-dev": { 37 | "laravel/pint": "^1.10", 38 | "orchestra/testbench": "^8.5.2", 39 | "pestphp/pest": "^2.6.1", 40 | "phpstan/phpstan": "^1.10.15" 41 | }, 42 | "extra": { 43 | "laravel": { 44 | "providers": [ 45 | "Treblle\\SecurityHeaders\\Providers\\PackageServiceProvider" 46 | ] 47 | } 48 | }, 49 | "scripts": { 50 | "pint": [ 51 | "./vendor/bin/pint" 52 | ], 53 | "stan": [ 54 | "./vendor/bin/phpstan analyse --memory-limit=3G" 55 | ], 56 | "test": [ 57 | "./vendor/bin/pest" 58 | ] 59 | }, 60 | "scripts-descriptions": { 61 | "pint": "Run Laravel Pint code styling.", 62 | "stan": "Run PHPStan against code base.", 63 | "test": "Run test suite." 64 | }, 65 | "minimum-stability": "dev", 66 | "prefer-stable": true, 67 | "config": { 68 | "optimize-autoloader": true, 69 | "preferred-install": "dist", 70 | "sort-packages": true, 71 | "allow-plugins": { 72 | "pestphp/pest-plugin": true, 73 | "php-http/discovery": true 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /config/headers.php: -------------------------------------------------------------------------------- 1 | [ 7 | 'X-Powered-By', 8 | 'x-powered-by', 9 | 'Server', 10 | 'server', 11 | ], 12 | 13 | 'referrer-policy' => 'no-referrer-when-downgrade', 14 | 15 | 'strict-transport-security' => 'max-age=31536000; includeSubDomains', 16 | 17 | 'certificate-transparency' => 'enforce, max-age=30', 18 | 19 | 'permissions-policy' => 'autoplay=(self), camera=(), encrypted-media=(self), fullscreen=(), geolocation=(self), gyroscope=(self), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(self), usb=()', 20 | 21 | 'content-type-options' => 'nosniff', 22 | ]; 23 | -------------------------------------------------------------------------------- /phpstan.neon: -------------------------------------------------------------------------------- 1 | parameters: 2 | 3 | paths: 4 | - src/ 5 | 6 | level: 9 7 | 8 | ignoreErrors: 9 | - '#\$value of function strval expects bool\|float\|int\|resource\|string\|null, mixed given.#' 10 | 11 | excludePaths: 12 | 13 | checkMissingIterableValueType: false 14 | -------------------------------------------------------------------------------- /phpunit.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ./tests 6 | 7 | 8 | 9 | 10 | 11 | ./src 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /pint.json: -------------------------------------------------------------------------------- 1 | { 2 | "preset": "psr12", 3 | "rules": { 4 | "align_multiline_comment": true, 5 | "array_indentation": true, 6 | "array_syntax": true, 7 | "blank_line_after_namespace": true, 8 | "blank_line_after_opening_tag": true, 9 | "combine_consecutive_issets": true, 10 | "combine_consecutive_unsets": true, 11 | "concat_space": true, 12 | "declare_parentheses": true, 13 | "declare_strict_types": true, 14 | "explicit_string_variable": true, 15 | "final_class": true, 16 | "final_internal_class": false, 17 | "fully_qualified_strict_types": true, 18 | "global_namespace_import": { 19 | "import_classes": true, 20 | "import_constants": true, 21 | "import_functions": true 22 | }, 23 | "is_null": true, 24 | "lambda_not_used_import": true, 25 | "logical_operators": true, 26 | "mb_str_functions": true, 27 | "method_chaining_indentation": true, 28 | "modernize_strpos": true, 29 | "new_with_braces": true, 30 | "no_empty_comment": true, 31 | "not_operator_with_space": true, 32 | "ordered_traits": true, 33 | "protected_to_private": true, 34 | "simplified_if_return": true, 35 | "strict_comparison": true, 36 | "ternary_to_null_coalescing": true, 37 | "trim_array_spaces": true, 38 | "use_arrow_functions": true, 39 | "void_return": true, 40 | "yoda_style": true 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/Http/Middleware/CertificateTransparencyPolicy.php: -------------------------------------------------------------------------------- 1 | headers->set( 21 | key: 'Expect-CT', 22 | values: strval(config('headers.certificate-transparency')), 23 | ); 24 | 25 | return $response; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/Http/Middleware/ContentTypeOptions.php: -------------------------------------------------------------------------------- 1 | headers->set( 21 | key: 'X-Content-Type-Options', 22 | values: strval(config('headers.content-type-options')), 23 | ); 24 | 25 | return $response; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/Http/Middleware/PermissionsPolicy.php: -------------------------------------------------------------------------------- 1 | headers->set( 21 | key: 'Permissions-Policy', 22 | values: strval(config('headers.permissions-policy')), 23 | ); 24 | 25 | return $response; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/Http/Middleware/RemoveHeaders.php: -------------------------------------------------------------------------------- 1 | headers->remove( 27 | key: $header, 28 | ); 29 | } 30 | 31 | return $response; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /src/Http/Middleware/SetReferrerPolicy.php: -------------------------------------------------------------------------------- 1 | headers->set( 21 | key: 'Referrer-Policy', 22 | values: strval(config('headers.referrer-policy')), 23 | ); 24 | 25 | return $response; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/Http/Middleware/StrictTransportSecurity.php: -------------------------------------------------------------------------------- 1 | headers->set( 21 | key: 'Strict-Transport-Security', 22 | values: strval(config('headers.strict-transport-security')), 23 | ); 24 | 25 | return $response; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/Providers/PackageServiceProvider.php: -------------------------------------------------------------------------------- 1 | publishes([ 14 | __DIR__.'/../../config/headers.php' => config_path('headers.php'), 15 | ], 'security-headers'); 16 | } 17 | } 18 | --------------------------------------------------------------------------------