PHP Secure Headers: A Modern Approach to Web Application Security in PHP

I needed better control over security headers in my PHP projects—and none of the existing tools worked the way I needed.

So I built one.

Today I’m introducing easyshield/php-secure-headers, a modern, developer-first package that helps you implement security headers easily, flexibly, and reliably.

🔒 Why PHP Secure Headers?

Most existing packages:

  • Don’t support the latest versions of Laravel or Symfony
  • Rely on outdated config-heavy setups
  • Lack modern features like nonce-based CSP
  • Have limited or no test coverage

PHP Secure Headers was designed to fix all that.

⚙️ Key Features

1. Native Support for Modern Frameworks

  • Laravel 11/12
  • Symfony 7/8
  • PHP 8.1+

2. Smart Content Security Policy (CSP) with Nonce 

php
use EasyShield\SecureHeaders\SecureHeaders;

$headers = new SecureHeaders();
$headers->enableCSP([
    'default-src' => ["'self'"],
    'script-src' => ["'self'", "'nonce-" . $headers->getNonce() . "'"],
    'style-src' => ["'self'", "https://fonts.googleapis.com"],
    'img-src' => ["'self'", "data:", "https:"],
    'font-src' => ["'self'", "https://fonts.gstatic.com"],
    'connect-src' => ["'self'"],
    'frame-ancestors' => ["'none'"]
]);
3. Flexible Security Levels
Strict mode for high-security environments

Basic mode for more compatibility during development

4. Support for All Critical Headers
HSTS

X-Frame-Options

X-Content-Type-Options

X-XSS-Protection

Referrer-Policy

Permissions-Policy

Critical Client Hints

🚀 Installation
Composer
bash
Copy
Edit
composer require easyshield/php-secure-headers
Laravel Integration
php
Copy
Edit
use EasyShield\SecureHeaders\SecureHeaders;
use Closure;
use Illuminate\Http\Request;

class SecureHeadersMiddleware
{
    private SecureHeaders $headers;

    public function __construct()
    {
        $this->headers = new SecureHeaders();
        $this->headers->enableAllSecurityHeaders();
    }

    public function handle(Request $request, Closure $next)
    {
        $response = $next($request);
        foreach ($this->headers->getHeaders() as $name => $value) {
            $response->header($name, $value);
        }
        return $response;
    }
}
Symfony Integration
php
Copy
Edit
use EasyShield\SecureHeaders\SecureHeaders;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;

class SecureHeadersSubscriber implements EventSubscriberInterface
{
    private SecureHeaders $headers;

    public function __construct()
    {
        $this->headers = new SecureHeaders();
        $this->headers->enableAllSecurityHeaders();
    }

    public static function getSubscribedEvents(): array
    {
        return [
            KernelEvents::RESPONSE => 'onKernelResponse',
        ];
    }

    public function onKernelResponse(ResponseEvent $event): void
    {
        if (!$event->isMainRequest()) return;
        $response = $event->getResponse();

        foreach ($this->headers->getHeaders() as $name => $value) {
            $response->headers->set($name, $value);
        }
    }
}
🧪 Testing & Coverage
✅ 100% Test Coverage
57 unit tests

Laravel/Symfony integration tests

Functional tests for every header type

Test Examples
Nonce Test

php
Copy
Edit
$headers = new SecureHeaders();
$headers->enableCSP();
$nonce = $headers->getNonce();
Strict vs Basic Mode

php
Copy
Edit
$strict = new SecureHeaders(SecureHeaders::LEVEL_STRICT);
$strict->enableAllSecurityHeaders();

$basic = new SecureHeaders(SecureHeaders::LEVEL_BASIC);
$basic->enableAllSecurityHeaders();
Custom HSTS

php
Copy
Edit
$headers = new SecureHeaders();
$headers->enableHSTS(3600, false, true);

Here's how php-secure-headers stands out:

✅ Laravel 11/12 support: built-in

✅ Symfony 7/8 support: native integration

✅ Framework-agnostic: yes – works outside of Laravel/Symfony too

✅ Configuration style: modern fluent API, no bulky config arrays

✅ Setup time: just 5 lines of code

✅ Test coverage: 100%, fully unit-tested

❌ Most other packages lack support for new framework versions

❌ Others require more boilerplate and manual nonce management


✅ Why Use This Package?
Modern & Simple – Minimal setup, fluent API, clean defaults

Safe by Design – Secure headers, strict CSP with nonce, no guesswork

Performance-Friendly – Lightweight, no bloat, no dependencies

Battle-Tested – Full test coverage, real-world framework use

📎 Get Started
bash
Copy
Edit
composer require easyshield/php-secure-headers
GitHub: https://github.com/shadighorbani7171/php-secure-headers

Packagist: https://packagist.org/packages/easyshield/php-secure-headers

Docs: GUIDE.md                                                     
#watercooler #programming #discuss