{"id":15021848,"url":"https://github.com/softspring/response-headers","last_synced_at":"2025-04-10T20:32:39.326Z","repository":{"id":46703228,"uuid":"515542495","full_name":"softspring/response-headers","owner":"softspring","description":"This component provides response headers configuration for Symfony projects","archived":false,"fork":false,"pushed_at":"2025-03-21T13:13:09.000Z","size":57,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"5.5","last_synced_at":"2025-03-24T18:07:03.462Z","etag":null,"topics":["component","symfony"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/softspring.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-19T10:43:36.000Z","updated_at":"2025-03-20T12:29:55.000Z","dependencies_parsed_at":"2023-01-31T08:30:36.649Z","dependency_job_id":"3b47b16f-95fe-4471-a415-e11fc192d00d","html_url":"https://github.com/softspring/response-headers","commit_stats":{"total_commits":55,"total_committers":4,"mean_commits":13.75,"dds":0.2545454545454545,"last_synced_commit":"d92e2898c182dc0eb8843abd8240e283a165c2ff"},"previous_names":[],"tags_count":106,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softspring%2Fresponse-headers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softspring%2Fresponse-headers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softspring%2Fresponse-headers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softspring%2Fresponse-headers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/softspring","download_url":"https://codeload.github.com/softspring/response-headers/tar.gz/refs/heads/5.5","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248290041,"owners_count":21078923,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["component","symfony"],"created_at":"2024-09-24T19:57:08.213Z","updated_at":"2025-04-10T20:32:39.318Z","avatar_url":"https://github.com/softspring.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Response headers component\n\n![Latest Stable](https://img.shields.io/packagist/v/softspring/response-headers?label=stable\u0026style=flat-square)\n![Latest Unstable](https://img.shields.io/packagist/v/softspring/response-headers?label=unstable\u0026style=flat-square\u0026include_prereleases)\n![License](https://img.shields.io/packagist/l/softspring/response-headers?style=flat-square)\n![PHP Version](https://img.shields.io/packagist/dependency-v/softspring/response-headers/php?style=flat-square)\n![Downloads](https://img.shields.io/packagist/dt/softspring/response-headers?style=flat-square)\n[![CI](https://img.shields.io/github/actions/workflow/status/softspring/response-headers/ci.yml?branch=5.4\u0026style=flat-square\u0026label=CI)](https://github.com/softspring/response-headers/actions/workflows/ci.yml)\n![Coverage](https://raw.githubusercontent.com/softspring/response-headers/5.4/.github/badges/coverage.svg)\n\nThis component, made for Symfony, allows to set response headers defining them in configuration.\n\n## Installation\n\n### Applications that use Symfony Flex\n\nOpen a command console, enter your project directory and execute:\n\n```console\n$ composer require softspring/response-headers\n```\n\n## Basic configuration\n\nCreate a configuration file:\n\n```yaml\n# config/packages/response_headers.yaml\nparameters:\n response_headers:\n X-Frame-Options: \"SAMEORIGIN\"\n X-Content-Type-Options: \"nosniff\"\n\nservices:\n Softspring\\Component\\ResponseHeaders\\EventListener\\ResponseHeadersListener:\n tags: ['kernel.event_subscriber']\n arguments:\n $headers: '%response_headers%'\n```\n\n## Use conditions \n\nYou can set some conditions to match before applying response headers.\n\n### Configure services\n\nFor this feature expression language component is required:\n\n```console\n$ composer require symfony/expression-language\n```\n\nThen you must configure expression language service:\n\n```yaml\n# config/packages/response_headers.yaml\nparameters:\n response_headers_global_conditions: []\n response_headers:\n ...\n\nservices:\n softspring.response_headers.expression_language:\n class: Symfony\\Component\\ExpressionLanguage\\ExpressionLanguage\n arguments:\n - '@?Psr\\Cache\\CacheItemPoolInterface'\n\n Softspring\\Component\\ResponseHeaders\\EventListener\\ResponseHeadersListener:\n tags: ['kernel.event_subscriber']\n arguments:\n $headers: '%response_headers%'\n $expressionLanguage: '@softspring.response_headers.expression_language'\n $globalConditions: '%response_headers_global_conditions%'\n```\n\n### Define conditions\n\nNow you can set a condition to be matched before applying a response header:\n\n```yaml\n# config/packages/response_headers.yaml\nparameters:\n response_headers:\n X-Frame-Options: \n value: \"SAMEORIGIN\"\n condition: \"request.getPathInfo() matches '^/admin'\"\n Access-Control-Allow-Origin:\n value: \"*\"\n condition: \"request.getPathInfo() matches '^/api'\"\n```\n\n### Define global conditions\n\nAlso you can set global conditions to be matched for every headers:\n\n```yaml\n# config/packages/response_headers.yaml\nparameters:\n response_headers_global_conditions:\n - 'isMainRequest'\n```\n\nThis global condition is recommended, to avoid setting headers for sub-requests, but it's not mandatory.\n\n### Build conditions\n\nFor the conditions, **request** and **response** objects are available. Also a **isMainRequest** variable is defined.\n\nCheck Symfony [expression-language documentation](https://symfony.com/doc/current/components/expression_language/syntax.html).\n\n## Headers configuration reference\n\nThere are several ways to define headers:\n\n**Single value header**\n\n```yaml\n# config/packages/response_headers.yaml\nparameters:\n response_headers:\n X-Frame-Options: \"SAMEORIGIN\" \n```\n\nThis code generates a *x-frame-options: \"SAMEORIGIN\"* header.\n\n**Multiple value header**\n\nMultiple value headers, will be merged to a single string delimited by semicolons\n\n```yaml\n# config/packages/response_headers.yaml\nparameters:\n response_headers:\n Feature-Policy:\n - \"geolocation 'self'\"\n - \"vibrate 'none'\" \n```\n\nThis code generates a *feature-policy: \"geolocation 'self'; vibrate 'none'\"* header.\n\n**Value field**\n\nAlso you can define the values into a *value* field:\n\n```yaml\n# config/packages/response_headers.yaml\nparameters:\n response_headers:\n X-Frame-Options: \n value: \"SAMEORIGIN\" \n Feature-Policy:\n value:\n - \"geolocation 'self'\"\n - \"vibrate 'none'\" \n```\n\nThis *value* field is mandatory if you want to set a condition or a replace behaviour.\n\n**Condition**\n\nAs said before, headers could be restricted with conditions:\n\n```yaml\n# config/packages/response_headers.yaml\nparameters:\n response_headers:\n X-Frame-Options: \n value: \"SAMEORIGIN\"\n condition: \"request.getHost() == 'api.mydomain.com\"\n```\n\n**Replace behaviour**\n\nSymfony response allows to define if a header must replace a previous defined header value. \n\nBy default, this replace behaviour is defined as true. But you can disable it using:\n\n```yaml\n# config/packages/response_headers.yaml\nparameters:\n response_headers:\n X-Frame-Options: \n value: \"SAMEORIGIN\"\n replace: false\n```\n\n## Common security headers\n\nThis is an example witch defines common security headers:\n\n```yaml\n# config/packages/response_headers.yaml\nparameters:\n response_headers_global_conditions:\n - 'isMainRequest'\n response_headers:\n X-XSS-Protection:\n - \"1\"\n - \"mode=block\"\n X-Frame-Options: \"SAMEORIGIN\"\n X-Content-Type-Options: \"nosniff\"\n Strict-Transport-Security:\n - \"max-age=31536000\"\n - \"includeSubDomains\"\n Referrer-Policy: \"same-origin\"\n Feature-Policy:\n - \"geolocation 'self'\"\n - \"vibrate 'none'\"\n # ... include every feature the application uses.\n Content-Security-Policy:\n - \"default-src 'none'\"\n - \"img-src 'self'\"\n - \"font-src 'self'\"\n - \"manifest-src 'self'\"\n - \"frame-src 'self'\"\n - \"script-src 'self' 'unsafe-inline'\"\n - \"style-src 'self' 'unsafe-inline'\"\n - \"connect-src 'self'\"\n```\n\nCheck Content-Security-Policy to include every base urls with services you use. Also try to avoid *unsafe-inline* configuration, this is up to your project. \n\n## License\n\nThis package is free and released under the [AGPL-3.0 license](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoftspring%2Fresponse-headers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsoftspring%2Fresponse-headers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoftspring%2Fresponse-headers/lists"}