Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Laravel Not Adding Custom Headers

Tags:

http-headers

http

php

laravel

Using laravel, I am attempting to add my own headers to all responses from the server.

I have the following in filters.php:

App::after(function($request, $response)
{
    // security related 
    $response->headers->set('X-Frame-Options','deny'); // Anti clickjacking
    $response->headers->set('X-XSS-Protection', '1; mode=block'); // Anti cross site scripting (XSS)
    $response->headers->set('X-Content-Type-Options', 'nosniff'); // Reduce exposure to drive-by dl attacks
    $response->headers->set('Content-Security-Policy', 'default-src \'self\''); // Reduce risk of XSS, clickjacking, and other stuff
    // Don't cache stuff (we'll be updating the page frequently)
    $response->headers->set('Cache-Control', 'nocache, no-store, max-age=0, must-revalidate');
    $response->headers->set('Pragma', 'no-cache');
    $response->headers->set('Expires', 'Fri, 01 Jan 1990 00:00:00 GMT');
    // CRITICAL: do NOT delete
    $response->headers->set('X-Archer', 'DANGER ZONE');
});

Yet no new headers show up when I test it:

[tesla | ~] => curl -o/dev/null -s -D - localhost
HTTP/1.1 200 OK
Date: Wed, 10 Dec 2014 23:13:30 GMT
Server: Apache
X-Powered-By: PHP/5.6.2
Content-Length: 974
Content-Type: text/html; charset=UTF-8

[tesla | ~] =>

I have no error or warnings in my log files. How could this be?

like image 506
735Tesla Avatar asked Dec 10 '14 23:12

735Tesla

1 Answers

Try this out: In the controller function that calls the view, follow with a call to the 'Response' class:

$contents = View::make('your_view')->with('data', $data);
$response = Response::make($contents, 200);
$response->header('X-Frame-Options','deny'); // Anti clickjacking
$response->header('X-XSS-Protection', '1; mode=block'); // Anti cross site scripting (XSS)
$response->header('X-Content-Type-Options', 'nosniff'); // Reduce exposure to drive-by dl attacks
$response->header('Content-Security-Policy', 'default-src \'self\''); // Reduce risk of XSS, clickjacking, and other stuff
    // Don't cache stuff (we'll be updating the page frequently)
$response->header('Cache-Control', 'nocache, no-store, max-age=0, must-revalidate');
$response->header('Pragma', 'no-cache');
$response->header('Expires', 'Fri, 01 Jan 1990 00:00:00 GMT');
return $response;

Of course you could refactor the above and include it in a helper function.

like image 85
FredTheWebGuy Avatar answered Oct 20 '22 23:10

FredTheWebGuy
Sign in to Comment

Related questions

PHPCS Limit to Filetype
How to specify 'default' in a parameterized PHP PDO insert?
Composer - Autoload and PSR-0 vs PSR-4
Widget Categories WordPress, change display count
Search in PHP array with a custom comparator
Match alpha letters and accented alpha letters
PHP simple HTML Dom select inner text only not child inne rtext
About JavaScript and PHP assignment operators: Why the different results?
Unified User Account with Multiple Social Logins/Signups Database Structure
php report-Strict Standards: mktime(): You should be using the time() function instead
Laravel Hash equivalent in core php
Connect to socket.io(nodejs) via PHP
How the twig caching exactly work? [closed]
Yii2: Use scopes of realtion in with() of ActiveRecord
Yii Framework 2.0 GridView and data from the join table
apple push notification for iOS and google cloud messaging for android using php?
How to recieve an image (file) with PHP that was submitted over a POST request
Laravel forms - route not defined
Symfony Twig override specific form row
Facebook Realtime Update API for page feed

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!