jcaillot/owasp-headers

Laravel 中间件。向响应中添加 OWASP 推荐的头部

维护者

详细信息

github.com/jcaillot/owasp-headers

源代码

问题

安装: 8

依赖者: 0

建议者: 0

安全: 0

星标: 1

关注者: 1

分支: 0

公开问题: 0

v1.3 2021-11-10 21:13 UTC

Requires

Requires (Dev)

MIT 7e77198d52ec7fdfb6f8c031baa434050a13b3e8

  • jerome caillot <jerome.woop@chaman.ca>

frameworkhttpmiddlewareheaderslaravelowasp

This package is auto-updated.

Last update: 2024-09-12 08:20:43 UTC

README

OWASP 头部中间件用于 Laravel 框架

Laravel 中间件。向响应中添加 OWASP 推荐的头部

先决条件

Laravel >= 5.2

安装

1. 安装库

composer require jcaillot/owasp-headers

2. 编辑配置文件

./vendor/jcaillot/owasp-headers/config/owasp-headers-example.php 复制到你的应用程序配置目录中的 ./config/owasp-headers.php

    php -r "copy( 'vendor/jcaillot/owasp-headers/config/owasp-headers-example.php', 'config/owasp-headers.php');"

不要犹豫编辑你的 ./config/owasp-headers.php 版本来微调 OWASP 推荐的头部。注意:像 HTTP Strict Transport Security (HSTS) 和 Content Security Policy (CSP) 这样的头部需要特别注意,以免发生任何事故。以下是默认的头部列表,这些头部将被添加到响应中

    return [
    
    'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains; preload',
    # Prevents the browser from interpreting files as something else than declared by the content type:
    'X-Content-Type-Option' => 'nosniff',
    'Content-Type' => 'text/html; charset=utf-8',
    # Enables the Cross-site scripting (XSS) filter in the browser:
    'X-XSS-Protection' => '1; mode=block',
    # The browser must not display the transmitted content in frames:
    'X-Frame-Options' => 'DENY',
    # No XML policy file( (for Flash or Acrobat) allowed:
    # see https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
    'X-Permitted-Cross-Domain-Policies' => 'none',
    # Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included:
    'Referrer-Policy' => 'same-origin',
    # Content Security Policy (CSP) requires careful tuning
    # see https://csp-evaluator.withgoogle.com
    # example: 'Content-Security-Policy' => 'default-src \'self\'; img-src \'self\'; script-src \'self\'; frame-ancestors \'none\'',
    'Content-Security-Policy' => 'frame-ancestors \'none\'',
    # Selectively enable and disable use of various browser features and APIs
    'Feature-Policy' => 'camera: \'none\'; payment: \'none\'; microphone: \'none\'',
];

3. 在 Kernel 中声明中间件

app/Kernel.php 中,你可以全局声明中间件。所有响应都会受到影响

    protected $middleware = [
         ...
         \Chaman\Http\Middleware\OwaspHeaders::class,
         
        ];

或者,你可以将其声明为路由中间件,并在路由级别关联它

        protected routeMiddleware = [
             ...
            'owasp.headers' => \Chaman\Http\Middleware\OwaspHeaders::class,
        
        ];

然后在任何路由上应用它(在 routes/web.php 中)

    Route::get('/home', function () {
        ...
    })->middleware('owasp.headers');

关于 OWASP 推荐头部

有关 OWASP 推荐头部更多信息可以在 OWASP 安全头部项目 Wiki 中找到

OWASP

许可证

MIT