bepsvpt
No header sent with Laravel 12
Hello,
I think it's a problem of installation but i don't see what is wrong. (https://github.com/bepsvpt/secure-headers?tab=readme-ov-file#installation)
I do this :
- Add in bootstrap\providers.php :
Bepsvpt\SecureHeaders\SecureHeadersServiceProvider::class,because in your installation documentation you talk of config/app.php but I thinks it's only for Laravel < 5.5 - Add in app\Http\Kernel.php :
\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class, - Copy the secure-headers.php in the folder config
- Of course, install your package.
In the bootstrap/cache/services.php I can see
39 => 'App\\Providers\\QueryBuilderMacroProvider', 40 => 'Bepsvpt\\SecureHeaders\\SecureHeadersServiceProvider', ), 'eager' =>
Thanks for your help.
Regards
Hi,
I tried with an old branch in Laravel 11 and it works perfectly. Just some header are twice, So I think it's a problem with Laravel 12. I saw that the providers in the config/app.php :
'providers' => ServiceProvider::defaultProviders()->merge([ /* * Package Service Providers... */ App\Providers\FortifyServiceProvider::class, Bepsvpt\SecureHeaders\SecureHeadersServiceProvider::class,
have migrate with Laravel 12 in bootstrap/providers.php, so I put the "SecureHeadersServiceProvider" class too
return [ Bepsvpt\SecureHeaders\SecureHeadersServiceProvider::class, App\Providers\FortifyServiceProvider::class, App\Providers\AppServiceProvider::class, App\Providers\QueryBuilderMacroProvider::class, ];
without success.
How can I help to solve the problem ?
Regards
Hi,
I found the solution because it works but I don't know if it's the better fix :
In the bootstrap/app register the middleware like that :
->withMiddleware(function (Middleware $middleware) { $middleware->append(\Bepsvpt\SecureHeaders\SecureHeadersMiddleware::class);
But I don't understand why I have 2 same header :
Next step, configure the nonce for inline script.
Regards
Hello @FabienArr,
Laravel 12 introduces a new directory structure, and I’ve updated the README to reflect these changes. Thanks for reporting the issue.
Regarding the X-Powered-By header, please update your php.ini file to disable this built-in PHP feature. You can find more information in the official documentation: https://www.php.net/manual/en/ini.core.php#ini.expose-php
Hi @bepsvpt ,
Thanks for your reply, I thinked that expose_php = Off will turn off X-Powered-By too. But it's ok now.
I think you could add this in the readme for Laravel 12 :
Because the Bepsvpt\SecureHeaders\SecureHeadersServiceProvider::class, must be in the new files "Bootstrap/providers.php
Regards
I just encounter a little problem that I don't understand, when I load my project with the chrome console open it's ok :
But if I load the site and after open the inspector I have this :
So I don't undertand if I have problem or not.
Thanks for your advices
I think you could add this in the readme for Laravel 12 :
You don’t need to add that line manually. This package uses Package Discovery, so Laravel will automatically load the service provider for you.
I just encounter a little problem that I don't understand, when I load my project with the chrome console open it's ok :
The CSP error is not affected by whether the console is open or not. Based on your screenshot, you'll need to check the allowlist for the style-src (CSS) directive.
You don’t need to add that line manually. This package uses Package Discovery, so Laravel will automatically load the service provider for you.
Ok
The CSP error is not affected by whether the console is open or not. Based on your screenshot, you'll need to check the allowlist for the style-src (CSS) directive.
I have no problem with JS, but only style :
I known it's not an issue with your component, but a problem of configuration, do you have any idea ?
Regards
If i put all my external css style like this, I got no error.
` 'style-src' => [ 'self' => true,
'allow' => [
'https://fonts.googleapis.com',
'https://cdn.datatables.net',
'https://cdn.jsdelivr.net',
'https://unpkg.com',
],`
But if I put a nonce normaly I don't need to allow them by their URL. Right ?
Regards