Web Security

What Is Security Headers?

In Laravel Applications

Laravel does not set security headers by default. You need to add them via middleware. Key headers include Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.

Example

Adding `X-Frame-Options: DENY` prevents your Laravel application from being embedded in an iframe, blocking clickjacking attacks.

Related Terms

Cross-Site Scripting (XSS)

A vulnerability where an attacker injects malicious JavaScript into web pages viewed by other users. The injected script runs in the victim's browser with the same privileges as legitimate scripts, allowing the attacker to steal session tokens, redirect users, or modify page content.

Cross-Site Request Forgery (CSRF)

An attack where a malicious website tricks a user's browser into performing an unwanted action on a site where the user is authenticated. The browser automatically sends cookies with the request, so the target site processes it as a legitimate action from the user.

HTTP Strict Transport Security (HSTS)

A security header that tells browsers to only connect to your website over HTTPS. Once a browser receives the HSTS header, it will automatically convert all future HTTP requests to HTTPS for the specified duration, preventing protocol downgrade attacks and cookie hijacking.

Related Articles

Laravel Is Now on the Same Federal Vulnerability List as Apple. Here Is What That Means.

CISA added the Livewire RCE vulnerability (CVE-2025-54068) to the Known Exploited Vulnerabilities catalog, linking it to active exploitation by Iranian APT MuddyWater. A Laravel ecosystem package is now on the same US government list as Apple and Microsoft. Here is what that changes for your team.

Copy Fail: Why Every Laravel Server Needs a Kernel Update Right Now (CVE-2026-31431)

A local privilege escalation vulnerability in the Linux kernel affects every server running a kernel from 2017 onward. Laravel Forge has issued a specific advisory. The exploit is 732 bytes, works reliably, and is active in the wild. Here is what Laravel teams need to do.

Laravel 13 Security: What Changed from Laravel 12 and What You Need to Know

A security-focused review of Laravel 13 for teams upgrading from Laravel 12. Covers new defaults, deprecated patterns, configuration changes, and a post-upgrade security checklist.

Related Fix Guides

High

How to Fix Missing Security Headers in Laravel

Your Laravel app is missing critical security headers like CSP, HSTS, and X-Frame-Options. Learn how to add them with middleware.