Few Days ago I read a great article by Scott Helme on security headers. To know more about these headers I suggesting you to read the great article yourself.
I’ve just added security headers to my website and want to show you how it was done.
Step 1: Laravel Security headers
I ha;ve used the bepsvpt/laravel-security-header larvel package to improve security headers. It supports major headers and some extra too.
You will find great configuration file with full of links to websites with more detail information. My current configuration looks like as folows:
Some notes:
- Only enable Strict-Transport-Security when you have an valid SSL certificate. And then you can probably want to enable it on your production laravel environment.
- Have a followed at paragonie/csp-builder to configure the Content-Security-Policy header. This is a major dependency set by bepsvpt/laravel-security-header.
- HTTP Public Key Pinning sounds little bit scary, mistakes sometimes can be difficult to solve. I’m not very expert in SSL keys or CSR, so I didn’t enabled this header.
Step 2: Test website now
Test your headers in your browser. You will have to tweak the CSP a bit, enable stuff like Google Analytics or widgets.
After that, scan your website security using securityheaders.io, another project developed by Scott Helme. It will scan your laravel website headers and give some great advice on some things you can improve in your site.
Step 3: Configuring a report URI is important
If a browser encounters any content which one violating the Content Security Policy it can send report to this. The URI that also is reported to configured in the CSP headers itself.
A great (and free) service that you can use for this, click this link report-uri.com. This was also developed by Scott Helme, this is realy getting awkward… After setting up your own personal report-uri you may see all reports for content (CSP) that violated your CSP.