StackShield
Back to Blog
Security 6 min read

A Guide to Security Headers: What They Do and How to Secure Your Laravel Application

Discover how to secure your Laravel application with the right security headers.

Sarah Miller
Sarah Miller
May 28, 2023
A Guide to Security Headers: What They Do and How to Secure Your Laravel Application

Security headers are one of the simplest yet most effective ways to protect your web applications from common attacks. They help prevent Cross-Site Scripting (XSS), Clickjacking, data theft, and other web-based threats by instructing browsers how to handle your website's security policies.

Unfortunately, many Laravel applications lack proper security headers, leaving them exposed to unnecessary risks. In this guide, we'll explore the most important security headers, what they do, and how to implement them in your Laravel application.

1. Content Security Policy (CSP)

What It Does: The Content Security Policy (CSP) header helps prevent Cross-Site Scripting (XSS) attacks by defining which resources (scripts, styles, images, etc.) are allowed to load on your website.

How it can be exploited by attackers: A user can use an input field to inject some javascript into an application record. When this record is loaded, the javascript is executed and could maliciously redirect the user, or steal some information from the page and send it to the attacker.

How to Implement It in Laravel: To set a strict CSP policy, add the following headers to your middleware or .htaccess file:

header('Content-Security-Policy: default-src \'self\'; script-src \'self\' https://example.com; style-src \'self\' https://example.com; img-src \'self\' https://example.com;');

✔ Best Practice:

  • Avoid using unsafe-inline and unsafe-eval unless absolutely necessary.
  • Use a nonce (random key) to allow only trusted inline scripts.

2. X-Frame-Options Header

What It Does: The X-Frame-Options header helps prevent Clickjacking attacks by specifying whether your website can be displayed within an iframe.

How it can be exploited by attackers: An attacker can use a iframe to display your application within their own application, overlaying sensitive actions and buttons with their own malicious content, causing the user to interact with the attacker's content instead of yours.

How to Implement It in Laravel: To prevent your application from being displayed within an iframe, add the following header to your middleware or .htaccess file:

header('X-Frame-Options: SAMEORIGIN');

✔ Best Practice:

  • Use SAMEORIGIN to allow content from the same origin.
  • Use DENY to prevent any content from being displayed within an iframe.

3. Strict-Transport-Security (HSTS) Header

What It Does: The Strict-Transport-Security (HSTS) header instructs browsers to only access your website over HTTPS, preventing man-in-the-middle attacks and ensuring secure connections.

How it can be exploited by attackers: Without secure connections, an attacker can intercept requests to your application and redirect them to a malicious website, or even intercept requests and send them to the attacker's own application.

How to Implement It in Laravel: To enforce HTTPS connections, add the following header to your middleware or .htaccess file:

header('Strict-Transport-Security: max-age=31536000; includeSubDomains');

✔ Best Practice:

  • Use max-age=31536000 to enforce HTTPS for one year.
  • Use includeSubDomains to apply HSTS to all subdomains.

4. X-XSS-Protection Header

What It Does: The X-XSS-Protection header helps prevent Cross-Site Scripting (XSS) attacks by instructing browsers to block scripts that attempt to inject malicious code.

How it can be exploited by attackers: An attacker can use a script to inject malicious code into your application, causing the code to be executed in the user's browser.

How to Implement It in Laravel: To enable XSS protection, add the following header to your middleware or .htaccess file:

header('X-XSS-Protection: 1; mode=block');

✔ Best Practice:

  • Use 1; mode=block to block scripts that attempt to inject malicious code.
  • Use 0 to disable XSS protection.

5. X-Content-Type-Options Header

What It Does: The X-Content-Type-Options header helps prevent browsers from interpreting files as other types of content, potentially exposing sensitive information.

How it can be exploited by attackers: An attacker can use a file upload to upload a malicious file to be executed on your server, potentially allowing an attacker access to your application and data. The attacker can then hold your application hostage and demand a ransom payment, or even use it to attack other applications as part of a bot-net.

How to Implement It in Laravel: To prevent browsers from interpreting files as other types of content, add the following header to your middleware or .htaccess file:

header('X-Content-Type-Options: nosniff');

✔ Best Practice:

  • Use nosniff to prevent browsers from interpreting files as other types of content.

6. Referrer-Policy Header

What It Does: The Referrer-Policy header helps prevent the exposure of sensitive information to other sites by controlling the value of the Referer header.

How it can be exploited by attackers: An attacker can use the Referer header to track the user's activity from your application, potentially exposing sensitive information.

How to Implement It in Laravel: To control the value of the Referer header, add the following header to your middleware or .htaccess file:

header('Referrer-Policy: no-referrer-when-downgrade');

✔ Best Practice:

  • Use no-referrer-when-downgrade to prevent the exposure of sensitive information.

7. Permissions and File Permissions

What It Does: This header restricts browser features like cameras, microphones, geolocation, and more, preventing malicious websites from exploiting them.

How it can be exploited by attackers: An attacker can use a script to exploit a feature of the browser, such as the camera or microphone, to capture sensitive information from the user. By setting the permissions policy correctly, you can prevent this from happening.

How to Implement It in Laravel: To restrict browser features, add the following header to your middleware or .htaccess file:

header('Permissions-Policy: camera=(), microphone=(), geolocation=(), camera=()');

✔ Best Practice:

  • Use camera=() to prevent the exposure of the camera.
  • Use microphone=() to prevent the exposure of the microphone.
  • Use geolocation=() to prevent the exposure of the geolocation.

Setting these headers correctly can take a bit of time, but is a great way of protecting your laravel application from common attacks. Once you have set them up, you can use StackShield to ensure they are always present, even after application and infrastructure upgrades. If we find them missing, we'll let you know.