Harden your Laravel app with CSP headers

Jul 8, 2021 by Thibault Debatty | 4398 views

Laravel Secure Software Development Docker Cyber-Wise

https://cylab.be/blog/155/harden-your-laravel-app-with-csp-headers

CSP (Content Security Policy) reduces the risk of cross-site scripting and other content-injection attacks by defining, at the level of the webserver, a header that whitelists authorized sources of content for your website.

There is no policy that fits all websites. Hence CSP is not enabled by default on a Laravel app. So here is an example that you should add to the file public/.htaccess:

<IfModule mod_headers.c>
  # https://cylab.be/blog/155/harden-your-laravel-app-with-csp-headers
  Header set Content-Security-Policy "default-src 'self'; style-src 'self' fonts.googleapis.com; object-src 'none'; form-action 'self'; font-src 'self' fonts.gstatic.com"
</IfModule>

In this example:

  • by default js and css files can only be downloaded from the same domain;
  • css files can be downloaded from the domain self, or from fonts.googleapis.com;
  • <object>, <embed> and <applet> are blocked;
  • form can only be POSTed to the same domain;
  • fonts can be downloaded from the same domain, or from fonts.googleapis.com.

CSP has a lot of available directives. To help you define your CSP you can use an online CSP header generator. You can also use a validator that will explain the result of your CSP.

For this to work, you must enable the headers module on your server:

sudo a2enmod headers

Or, if you are using Docker, you must add this command to your Dockerfile:

RUN a2enmod headers

Check

You can check the header is correctly sent by your server using the 'Network' tab of your browser.

This example is taken from our Cyber-Wise project.

This blog post is licensed under CC BY-SA 4.0

Fully customizable emails using Laravel 9
With the release of Laravel 9, the Swift Mailer (that is no longer maintained) has been replaced by the Symfony Mailer. You can already find some useful information about this change along all the other ones in the Upgrade Guide from Laravel 8.x to 9.0. However this guide does not contain enough information if you want to send fully customized emails. This blog post proposes you a solution coming directly from the Symfony documentation!
Feb 1, 2023 | 2853 views
Share on Mastodon with shareon.js
With recent events on Twitter, the micro-blogging network Mastodon has gained a lot of interest. Unlike Twitter, Mastodon is free and open-source software. Moreover, Mastodon uses a decentralized approach: the Mastodon network is composed of multiple instances managed by different suppliers, each with its own code of conduct, terms of service, privacy policy, privacy options, and moderation policies. If you want to support the network, here is how you can add 'Share on Mastodon' icons on your website.
Dec 18, 2022 | 1381 views
2-factor authentication for Laravel using TOTP
2-factor authentication is an important protection for a web application. In this blog post we see how Time based One Time Password (TOTP) authentication works, and how it can be implemented in a Laravel application...
Oct 23, 2022 | 6312 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept