StackShield
Web Security

What Is Security Headers?

HTTP response headers that instruct browsers how to handle your website's content securely. They protect against common attacks like cross-site scripting (XSS), clickjacking, and protocol downgrade attacks by telling the browser what actions are allowed.

In Laravel Applications

Laravel does not set security headers by default. You need to add them via middleware. Key headers include Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.

Example

Adding `X-Frame-Options: DENY` prevents your Laravel application from being embedded in an iframe, blocking clickjacking attacks.

Related Terms

Cross-Site Scripting (XSS)

A vulnerability where an attacker injects malicious JavaScript into web pages viewed by other users. The injected script runs in the victim's browser with the same privileges as legitimate scripts, allowing the attacker to steal session tokens, redirect users, or modify page content.

Cross-Site Request Forgery (CSRF)

An attack where a malicious website tricks a user's browser into performing an unwanted action on a site where the user is authenticated. The browser automatically sends cookies with the request, so the target site processes it as a legitimate action from the user.

HTTP Strict Transport Security (HSTS)

A security header that tells browsers to only connect to your website over HTTPS. Once a browser receives the HSTS header, it will automatically convert all future HTTP requests to HTTPS for the specified duration, preventing protocol downgrade attacks and cookie hijacking.

Related Articles

Open Ports in Production: Why Your Laravel Server Has More Exposed Services Than You Think

Most Laravel deployments expose far more network services than developers realise. From MySQL and Redis to forgotten Vite dev servers, open ports give attackers a roadmap to your infrastructure. Here is how to find and close them.

How to Security Audit a Laravel Application: A Practical Guide

A step-by-step guide to auditing the security of a Laravel application. Covers dependency scanning, configuration review, external scanning, code review patterns, and how to prioritize findings.

Security Headers for SOC 2 and ISO 27001: What Laravel Teams Need to Know

SOC 2 and ISO 27001 audits increasingly flag missing or misconfigured security headers. Learn which headers auditors look for, how to implement them in Laravel middleware, and how to monitor compliance continuously.

Related Fix Guides

High

How to Fix Missing Security Headers in Laravel

Your Laravel app is missing critical security headers like CSP, HSTS, and X-Frame-Options. Learn how to add them with middleware.

Monitor Your Laravel Application's Security

StackShield continuously checks your Laravel application from the outside, catching security issues before attackers find them.

Start Free Trial