SecureHeaders Demo

Here are the headers we just sent you.


strict-transport-security: max-age=31536000; includeSubDomains; preload
expect-ct: max-age=31536000; enforce
referrer-policy: no-referrer
referrer-policy: strict-origin-when-cross-origin
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-frame-options: Deny
content-security-policy: default-src 'none'; script-src https://www.google-analytics.com/analytics.js https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.10.0/highlight.min.js 'nonce-IaJfMhjNi6xyKO3OUCaahZaRggM18TPr2PvNAjmW' 'strict-dynamic'; style-src 'self' https://fonts.googleapis.com/css https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.6.3/css/font-awesome.min.css https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.10.0/styles/default.min.css 'nonce-ABYJKu+JG9fWJV1iBkcwt/CabT0Tv3LlsxEcVaWz'; font-src https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ https://fonts.gstatic.com/s/opensans/ https://fonts.gstatic.com/s/sourcecodepro/; img-src 'self' https://www.google-analytics.com/; base-uri 'self'
set-cookie: super-secret-token=EyK4nWZqU4B6pmbT; Secure; HttpOnly; SameSite=Strict
            

Here's the configuration used to do that.


<?php

use Aidantwoods\SecureHeaders\SecureHeaders;

$SecureHeaders = new SecureHeaders;
$SecureHeaders->strictMode();
$SecureHeaders->applyOnOutput();

setcookie('super-secret-token', base64_encode(random_bytes(12)));

$SecureHeaders->csp([
    'default' => 'none',
    'script' => [
        'https://www.google-analytics.com/analytics.js',
        'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.10.0/highlight.min.js',
    ],
    'style' => [
        'self',
        'https://fonts.googleapis.com/css',
        'https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.6.3/css/font-awesome.min.css',
        'https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.10.0/styles/default.min.css',
    ],
    'font' => [
        'https://cdnjs.cloudflare.com/ajax/libs/font-awesome/',
        'https://fonts.gstatic.com/s/opensans/',
        'https://fonts.gstatic.com/s/sourcecodepro/',
    ],
    'image' => [
        'self',
        'https://www.google-analytics.com/',
    ],
    'base-uri' => 'self',
]);

$SecureHeaders->cspNonce('style');
$SecureHeaders->cspNonce('script');
            
SecureHeaders on GitHub.