Updated 2024-04-16
Create a middleware at app\Http\Middleware\SecurityHeaders.php:
<?php
namespace App\Http\Middleware;
use Closure;
class SecurityHeaders
{
private $unwantedHeaders = ['X-Powered-By', 'server', 'Server'];
/**
* @param $request
* @param Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
$response = $next($request);
if (env('APP_ENV') === 'production'
|| env('APP_ENV') === 'develop'
|| env('APP_ENV') === 'staging' ) {
$response->headers->set('Referrer-Policy', 'no-referrer-when-downgrade');
$response->headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
/*
* WARNING: This exposes the document to many exploits.
* You must update 'Content-Security-Policy'
*/
$response->headers->set('Content-Security-Policy', "default-src * self blob: data: gap:; style-src * self 'unsafe-inline' blob: data: gap:; script-src * 'self' 'unsafe-eval' 'unsafe-inline' blob: data: gap:; object-src * 'self' blob: data: gap:; img-src * self 'unsafe-inline' blob: data: gap:; connect-src self * 'unsafe-inline' blob: data: gap:; frame-src * self blob: data: gap:;");
$response->headers->set('Permissions-Policy', 'autoplay=(self), camera=(), encrypted-media=(self), fullscreen=(), geolocation=(self), gyroscope=(self), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=(self), usb=()');
$response->headers->set('X-Frame-Options', 'SAMEORIGIN');
$response->headers->set('X-Content-Type-Options', 'nosniff');
$this->removeUnwantedHeaders($this->unwantedHeaders);
}
return $response;
}
/**
* @param $headers
*/
private function removeUnwantedHeaders($headers): void
{
foreach ($headers as $header) {
header_remove($header);
}
}
}
Laravel 10
If config/cors.php not working, then simply add following to your public/index.php:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: *');
header("Access-Control-Allow-Headers: *");
and update config/cors.php to
'allowed_origins' => [],
Laravel 9 and lower
Step 1. Add \Fruitcake\Cors\HandleCors::class, in app/Http/Middleware/Kernel.php in $middleware array
eg:
protected $middleware = [
...
\Fruitcake\Cors\HandleCors::class,
...
];
Step 2. Add cors.php file in config folder and write following code:
<?php
return [
'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_origins' => ['*'],
'allowed_origins_patterns' => [],
'allowed_headers' => ['*'],
'exposed_headers' => [],
'max_age' => 0,
'supports_credentials' => false,
];
Top comments (0)