Skip to main content
CM

Essential security headers for Laravel apps - checklist

Carlos Mendez Cybersecurity 423 views
Here is the security headers checklist I use for every Laravel project. You can add these in middleware or via your web server config. Must-have headers: - X-Content-Type-Options: nosniff - X-Frame-Options: SAMEORIGIN - Referrer-Policy: strict-origin-when-cross-origin - Permissions-Policy: camera=(), microphone=(), geolocation=() - Strict-Transport-Security: max-age=31536000; includeSubDomains Content Security Policy is trickier and needs to be tailored per app. Start strict and loosen as needed. At minimum set default-src to self. Test your headers using securityheaders.com to check your score. Aim for A+ grade. What other security practices do you follow in your Laravel apps?

2 Replies

EA
Engr Mejba Ahmed 4 months ago
Excellent checklist Carlos! Through my penetration testing work at xCyberSecurity.io, these are the most commonly missed items I find in Laravel security audits: - Missing HSTS header, which should have includeSubDomains and preload directives - Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy for cross-origin isolation - APP_DEBUG left as true in production, which leaks stack traces and environment variables - SESSION_SECURE_COOKIE not set to true when using HTTPS Also make sure CSRF protection is never disabled. Use the @csrf directive in all forms and never remove VerifyCsrfToken middleware. I have seen production apps where developers disabled it to fix AJAX issues rather than properly setting up the X-CSRF-TOKEN header.
AT
Alex Thompson 4 months ago
Pro tip: use the spatie/laravel-csp package for managing Content Security Policy. It makes handling nonces and configuring policies much easier than building it manually. Also, run your site through Mozilla Observatory at observatory.mozilla.org. It gives more detailed security analysis than SecurityHeaders.com and includes recommendations for each issue found.

Post a Reply

Engr Mejba Ahmed

Engr Mejba Ahmed

Claude Code Expert · Online

👋

Hey there!

Quick Actions

WhatsApp Instant reply

Chat on WhatsApp

+880 1723 741224 · Instant reply

Popular Questions

Engr Mejba Ahmed is connected
Engr Mejba Ahmed is typing...
Engr Mejba Ahmed avatar

✉ Want me to follow up? Drop your email

Engr Mejba Ahmed avatar

📞 Connect Directly

Choose how you'd like to reach me

WhatsApp

+880 1723 741224

Email

[email protected]

✓ Details sent! I'll get back to you shortly.

Powered by OpenAI

335+

Blog Posts

25

AI Courses

63

Projects

Services & Expertise

Pricing & Process

Learning & Resources

Connect & Support