Description
The template does not include security headers middleware out of the box. While docs/security.md provides a recommended implementation, this should be included by default to ensure applications are secure from the start.
File: bootstrap/app.php (line 21-23)
->withMiddleware(function (Middleware $middleware) {
\Core\Front\Boot::middleware($middleware);
})Missing Headers
Applications created from this template will not have these security headers:
X-Frame-Options - Prevents clickjackingX-Content-Type-Options - Prevents MIME-type sniffingX-XSS-Protection - Enables browser XSS filteringReferrer-Policy - Controls referrer informationContent-Security-Policy - Prevents XSS and injection attacks
Impact
New applications will be vulnerable to:
- Clickjacking attacks
- MIME-type confusion attacks
- Cross-site scripting (in some browsers)
- Data leakage via referrer headers
Recommendation
- Create
app/Http/Middleware/SecurityHeaders.php with sensible defaults
- Register it in
bootstrap/app.php for web routes
- Make CSP configurable via environment variables
The docs/security.md already has a complete implementation that could be included by default.
Description
The template does not include security headers middleware out of the box. While
docs/security.mdprovides a recommended implementation, this should be included by default to ensure applications are secure from the start.File:
bootstrap/app.php(line 21-23)Missing Headers
Applications created from this template will not have these security headers:
X-Frame-Options- Prevents clickjackingX-Content-Type-Options- Prevents MIME-type sniffingX-XSS-Protection- Enables browser XSS filteringReferrer-Policy- Controls referrer informationContent-Security-Policy- Prevents XSS and injection attacksImpact
New applications will be vulnerable to:
Recommendation
app/Http/Middleware/SecurityHeaders.phpwith sensible defaultsbootstrap/app.phpfor web routesThe
docs/security.mdalready has a complete implementation that could be included by default.