This Twill Capsule is intended to enable developers add Security Headers configuration to applications, giving users a friendly dashboard to configure these headers:
Mozilla Observatory security headers check
- CSP (Content Security Policy)
- HSTS (Strict-Transport-Security)
- Permissions-Policy
- Referrer-Policy
- X-Content-Type-Options
- X-Frame-Options
- Expect-CT (deprecated by most browsers)
- X-XSS-Protection (non-standard, not for production)
This capsule also has an option for removing any unwanted headers from the response. Update the config/twill-security-headers.php file to add any unwanted headers from the response:
'unwanted-headers' => ['X-Powered-By', 'server', 'Server'],Composer will manage this automatically for you, but these are the supported versions between Twill and this package.
| Twill Version | HTTP Basic Auth Capsule |
|---|---|
| 3.x | 2.x |
| 2.x | 1.x |
composer require area17/twill-security-headersphp artisan vendor:publish --provider="A17\TwillSecurityHeaders\ServiceProvider"php artisan migrateIt's pretty straightforward, once installed you will have access to the menu option Twill Security Headers, which is a single page having all the supported headers that you can enable, disable and edit the properties to sent with the response.
If you are clearing the Twill menu in order to create a new one yourself, you will need to add it manually:
TwillNavigation::clear();
...
TwillNavigation::addLink(
NavigationLink::make()
->forModule('TwillSecurityHeaders')
->title('Security headers')
);Creating CSP policies usually takes time and it's hard to write them manually. You can make use if Report URI, a great tool that allows you to paste your current policy, edit and generate a new string to be pasted on the package.
This package is enabled and injects itself automatically. To disable it you just need to add to .env:
TWILL_SECURITY_HEADERS_ENABLED=falsePlease contribute to this project by submitting pull requests.