Skip to content

Latest commit

 

History

History
94 lines (63 loc) · 3.25 KB

README.md

File metadata and controls

94 lines (63 loc) · 3.25 KB

Security Headers Twill Capsule

This Twill Capsule is intended to enable developers add Security Headers configuration to applications, giving users a friendly dashboard to configure these headers:

Screenshots

CMS configuration

screenshot 1

screenshot 2

Mozilla Observatory security headers check

screenshot 2

Supported Headers

Unwanted headers

This capsule also has an option for removing any unwanted headers from the response. Update the config/twill-security-headers.php file to add any unwanted headers from the response:

'unwanted-headers' => ['X-Powered-By', 'server', 'Server'],

Installing

Supported Versions

Composer will manage this automatically for you, but these are the supported versions between Twill and this package.

Twill Version HTTP Basic Auth Capsule
3.x 2.x
2.x 1.x

Require the Composer package:

composer require area17/twill-security-headers

Publish the configuration

php artisan vendor:publish --provider="A17\TwillSecurityHeaders\ServiceProvider"

Migrate the database to create package tables

php artisan migrate

Usage

It's pretty straightforward, once installed you will have access to the menu option Twill Security Headers, which is a single page having all the supported headers that you can enable, disable and edit the properties to sent with the response.

Menu

If you are clearing the Twill menu in order to create a new one yourself, you will need to add it manually:

TwillNavigation::clear();

...

TwillNavigation::addLink(
    NavigationLink::make()
        ->forModule('TwillSecurityHeaders')
        ->title('Security headers')
);

CSP config

Creating CSP policies usually takes time and it's hard to write them manually. You can make use if Report URI, a great tool that allows you to paste your current policy, edit and generate a new string to be pasted on the package.

Disabling

This package is enabled and injects itself automatically. To disable it you just need to add to .env:

TWILL_SECURITY_HEADERS_ENABLED=false

Contribute

Please contribute to this project by submitting pull requests.