area17 / twill-security-headers
A Twill Capsule to add and handle Security Headers
Fund package maintenance!
area17
Installs: 1 788
Dependents: 0
Suggesters: 0
Security: 0
Stars: 4
Watchers: 6
Forks: 0
Open Issues: 0
Requires
- php: >=8.0
- area17/twill: ^3.0
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3.0
- laravel/dusk: ^7.12
- nunomaduro/larastan: ^2.0
- orchestra/testbench: ^7.11
- phpstan/phpstan: ^1.8
README
This Twill Capsule is intended to enable developers add Security Headers configuration to applications, giving users a friendly dashboard to configure these headers:
Screenshots
CMS configuration
Mozilla Observatory security headers check
Supported Headers
- CSP (Content Security Policy)
- HSTS (Strict-Transport-Security)
- Permissions-Policy
- Referrer-Policy
- X-Content-Type-Options
- X-Frame-Options
- Expect-CT (deprecated by most browsers)
- X-XSS-Protection (non-standard, not for production)
Unwanted headers
This capsule also has an option for removing any unwanted headers from the response. Update the config/twill-security-headers.php file to add any unwanted headers from the response:
'unwanted-headers' => ['X-Powered-By', 'server', 'Server'],
Installing
Supported Versions
Composer will manage this automatically for you, but these are the supported versions between Twill and this package.
Require the Composer package:
composer require area17/twill-security-headers
Publish the configuration
php artisan vendor:publish --provider="A17\TwillSecurityHeaders\ServiceProvider"
Migrate the database to create package tables
php artisan migrate
Usage
It's pretty straightforward, once installed you will have access to the menu option Twill Security Headers, which is a single page having all the supported headers that you can enable, disable and edit the properties to sent with the response.
Menu
If you are clearing the Twill menu in order to create a new one yourself, you will need to add it manually:
TwillNavigation::clear(); ... TwillNavigation::addLink( NavigationLink::make() ->forModule('TwillSecurityHeaders') ->title('Security headers') );
CSP config
Creating CSP policies usually takes time and it's hard to write them manually. You can make use if Report URI, a great tool that allows you to paste your current policy, edit and generate a new string to be pasted on the package.
Disabling
This package is enabled and injects itself automatically. To disable it you just need to add to .env:
TWILL_SECURITY_HEADERS_ENABLED=false
Contribute
Please contribute to this project by submitting pull requests.