Skip to main content
CM

Essential security headers for Laravel apps - checklist

Carlos Mendez Cybersecurity 181 views
Here is the security headers checklist I use for every Laravel project. You can add these in middleware or via your web server config. Must-have headers: - X-Content-Type-Options: nosniff - X-Frame-Options: SAMEORIGIN - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy: camera=(), microphone=(), geolocation=() - Strict-Transport-Security: max-age=31536000; includeSubDomains Content Security Policy is trickier and needs to be tailored per app. Start strict and loosen as needed. At minimum set default-src to self. Test your headers using securityheaders.com to check your score. Aim for A+ grade. What other security practices do you follow in your Laravel apps?

2 Replies

EA
Engr Mejba Ahmed 1 week ago
Excellent checklist Carlos! Through my penetration testing work at xCyberSecurity.io, these are the most commonly missed items I find in Laravel security audits: - Missing HSTS header, which should have includeSubDomains and preload directives - Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy for cross-origin isolation - APP_DEBUG left as true in production, which leaks stack traces and environment variables - SESSION_SECURE_COOKIE not set to true when using HTTPS Also make sure CSRF protection is never disabled. Use the @csrf directive in all forms and never remove VerifyCsrfToken middleware. I have seen production apps where developers disabled it to fix AJAX issues rather than properly setting up the X-CSRF-TOKEN header.
AT
Alex Thompson 1 week ago
Pro tip: use the spatie/laravel-csp package for managing Content Security Policy. It makes handling nonces and configuring policies much easier than building it manually. Also, run your site through Mozilla Observatory at observatory.mozilla.org. It gives more detailed security analysis than SecurityHeaders.com and includes recommendations for each issue found.

Post a Reply