6

Using laravel, I am attempting to add my own headers to all responses from the server.

I have the following in filters.php:

App::after(function($request, $response)
{
    // security related 
    $response->headers->set('X-Frame-Options','deny'); // Anti clickjacking
    $response->headers->set('X-XSS-Protection', '1; mode=block'); // Anti cross site scripting (XSS)
    $response->headers->set('X-Content-Type-Options', 'nosniff'); // Reduce exposure to drive-by dl attacks
    $response->headers->set('Content-Security-Policy', 'default-src \'self\''); // Reduce risk of XSS, clickjacking, and other stuff
    // Don't cache stuff (we'll be updating the page frequently)
    $response->headers->set('Cache-Control', 'nocache, no-store, max-age=0, must-revalidate');
    $response->headers->set('Pragma', 'no-cache');
    $response->headers->set('Expires', 'Fri, 01 Jan 1990 00:00:00 GMT');
    // CRITICAL: do NOT delete
    $response->headers->set('X-Archer', 'DANGER ZONE');
});

Yet no new headers show up when I test it:

[tesla | ~] => curl -o/dev/null -s -D - localhost
HTTP/1.1 200 OK
Date: Wed, 10 Dec 2014 23:13:30 GMT
Server: Apache
X-Powered-By: PHP/5.6.2
Content-Length: 974
Content-Type: text/html; charset=UTF-8

[tesla | ~] =>

I have no error or warnings in my log files. How could this be?

Improve this question
9
  • Which version of Laravel? In 4, it's header() instead of headers->set() laravel.com/docs/4.2/responses Commented Dec 10, 2014 at 23:45
  • @mopo922 I am using 4.2, however changing it to $response->header('key','val') didn't change anything Commented Dec 10, 2014 at 23:55
  • The other thing you could try is just normal PHP header() Commented Dec 10, 2014 at 23:57
  • Placing that in App::after produces an error saying headers were already sent, but placing it in App:before does work. I was just hoping there was a more laravel way to go about doing it :) Commented Dec 10, 2014 at 23:58
  • In that case, maybe App::after is too late to add headers, Laravel way or not. Commented Dec 11, 2014 at 0:00

3 Answers 3

Reset to default
5

Try this out: In the controller function that calls the view, follow with a call to the 'Response' class:

$contents = View::make('your_view')->with('data', $data);
$response = Response::make($contents, 200);
$response->header('X-Frame-Options','deny'); // Anti clickjacking
$response->header('X-XSS-Protection', '1; mode=block'); // Anti cross site scripting (XSS)
$response->header('X-Content-Type-Options', 'nosniff'); // Reduce exposure to drive-by dl attacks
$response->header('Content-Security-Policy', 'default-src \'self\''); // Reduce risk of XSS, clickjacking, and other stuff
    // Don't cache stuff (we'll be updating the page frequently)
$response->header('Cache-Control', 'nocache, no-store, max-age=0, must-revalidate');
$response->header('Pragma', 'no-cache');
$response->header('Expires', 'Fri, 01 Jan 1990 00:00:00 GMT');
return $response;

Of course you could refactor the above and include it in a helper function.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

$response->header('X-Archer', 'DANGER ZONE'); why?
@LukasBernhard -- you can disregard that custom header. Removed.
This isn't working for me make() undefined though class is inherited for RESPONSE
0

Also an option:

return Response::view('view_name', [
    'data' => $data,
  ])->header('X-Frame-Options','deny');

Found in: http://laravel.com/docs/4.2/responses#basic-responses

Look at Creating Custom Responses

Improve this answer

Comments

0 
return response($content)
            ->header('Content-Type', $type)
            ->header('X-Header-One', 'Header Value')
            ->header('X-Header-Two', 'Header Value');

laravel 5.8

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.