How to Fix Missing Security Headers in Laravel
Your Laravel app is missing critical security headers like CSP, HSTS, and X-Frame-Options. Learn how to add them with middleware.
The Problem
Missing security headers leave your Laravel application vulnerable to cross-site scripting (XSS), clickjacking, MIME sniffing, and protocol downgrade attacks. Browsers rely on these headers to enforce security policies, and without them your users have no protection from these common attack vectors. Most Laravel applications ship with zero security headers configured.
How to Fix
-
1
Create a security headers middleware
Generate a new middleware:
{{ trim($paragraph)); ?>Then add the headers in app/Http/Middleware/SecurityHeaders.php:
{{ trim($paragraph)); ?>namespace App\Http\Middleware;
use Closure; use Illuminate\Http\Request;
{{ trim($paragraph)); ?>{{ trim($paragraph)); ?>return $response; } }
-
2
Register the middleware globally
In Laravel 11+, add to bootstrap/app.php:
{{ trim($paragraph)); ?>In Laravel 10 and earlier, add to the $middleware array in app/Http/Kernel.php:
{{ trim($paragraph)); ?> -
3
Customize Content-Security-Policy for your app
The CSP header needs to match your application. If you use external scripts (analytics, Stripe, etc.), add their domains:
{{ trim($paragraph)); ?>Start with Content-Security-Policy-Report-Only to test without breaking your site, then switch to enforcing mode once verified.
How to Verify
Check your headers with curl:
curl -I https://yourdomain.comYou should see all security headers in the response. You can also use securityheaders.com to scan your site and get a grade. Aim for an A or A+ rating.
Prevention
Include the security headers middleware in your base Laravel project template. Test headers in your CI/CD pipeline by checking response headers after deployment. Use StackShield to continuously monitor that headers remain in place after updates and deployments.
Frequently Asked Questions
Will adding security headers break my application?
The most likely header to cause issues is Content-Security-Policy, which can block inline scripts, external fonts, or third-party widgets. Start with Content-Security-Policy-Report-Only mode to identify violations before enforcing. The other headers (X-Frame-Options, HSTS, etc.) rarely cause issues.
Do I need all of these headers?
At minimum, you should set X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, and Referrer-Policy. Content-Security-Policy provides the strongest protection but requires careful configuration. Each header protects against a different attack vector.
Can I set security headers at the web server level instead?
Yes, you can set headers in Nginx (add_header directive) or Apache (Header set directive) instead of Laravel middleware. Server-level headers apply to all responses including static files, which is an advantage. However, middleware gives you more flexibility to vary headers per route.
Related Security Terms
Related Guides
How to Prevent Cross-Site Scripting (XSS) in Laravel
XSS vulnerabilities allow attackers to inject malicious scripts into your Laravel pages. Learn how to prevent XSS with proper output encoding.
How to Fix CORS Misconfiguration in Laravel
Wildcard CORS headers or misconfigured CORS policy allows any website to access your Laravel API. Learn how to configure CORS securely.
How to Fix Weak SSL/TLS Configuration in Laravel
Your SSL/TLS certificate is expired, misconfigured, or using weak protocols. Learn how to fix SSL issues for your Laravel app.
Detect This Automatically with StackShield
StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.
Start Free Trial