https://github.com/softspring/response-headers
This component provides response headers configuration for Symfony projects
https://github.com/softspring/response-headers
component symfony
Last synced: about 1 year ago
JSON representation
This component provides response headers configuration for Symfony projects
- Host: GitHub
- URL: https://github.com/softspring/response-headers
- Owner: softspring
- License: agpl-3.0
- Created: 2022-07-19T10:43:36.000Z (almost 4 years ago)
- Default Branch: 5.5
- Last Pushed: 2025-03-21T13:13:09.000Z (over 1 year ago)
- Last Synced: 2025-03-24T18:07:03.462Z (over 1 year ago)
- Topics: component, symfony
- Language: PHP
- Homepage:
- Size: 55.7 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Response headers component
[](https://github.com/softspring/response-headers/actions/workflows/ci.yml)
This component, made for Symfony, allows to set response headers defining them in configuration.
## Installation
### Applications that use Symfony Flex
Open a command console, enter your project directory and execute:
```console
$ composer require softspring/response-headers
```
## Basic configuration
Create a configuration file:
```yaml
# config/packages/response_headers.yaml
parameters:
response_headers:
X-Frame-Options: "SAMEORIGIN"
X-Content-Type-Options: "nosniff"
services:
Softspring\Component\ResponseHeaders\EventListener\ResponseHeadersListener:
tags: ['kernel.event_subscriber']
arguments:
$headers: '%response_headers%'
```
## Use conditions
You can set some conditions to match before applying response headers.
### Configure services
For this feature expression language component is required:
```console
$ composer require symfony/expression-language
```
Then you must configure expression language service:
```yaml
# config/packages/response_headers.yaml
parameters:
response_headers_global_conditions: []
response_headers:
...
services:
softspring.response_headers.expression_language:
class: Symfony\Component\ExpressionLanguage\ExpressionLanguage
arguments:
- '@?Psr\Cache\CacheItemPoolInterface'
Softspring\Component\ResponseHeaders\EventListener\ResponseHeadersListener:
tags: ['kernel.event_subscriber']
arguments:
$headers: '%response_headers%'
$expressionLanguage: '@softspring.response_headers.expression_language'
$globalConditions: '%response_headers_global_conditions%'
```
### Define conditions
Now you can set a condition to be matched before applying a response header:
```yaml
# config/packages/response_headers.yaml
parameters:
response_headers:
X-Frame-Options:
value: "SAMEORIGIN"
condition: "request.getPathInfo() matches '^/admin'"
Access-Control-Allow-Origin:
value: "*"
condition: "request.getPathInfo() matches '^/api'"
```
### Define global conditions
Also you can set global conditions to be matched for every headers:
```yaml
# config/packages/response_headers.yaml
parameters:
response_headers_global_conditions:
- 'isMainRequest'
```
This global condition is recommended, to avoid setting headers for sub-requests, but it's not mandatory.
### Build conditions
For the conditions, **request** and **response** objects are available. Also a **isMainRequest** variable is defined.
Check Symfony [expression-language documentation](https://symfony.com/doc/current/components/expression_language/syntax.html).
## Headers configuration reference
There are several ways to define headers:
**Single value header**
```yaml
# config/packages/response_headers.yaml
parameters:
response_headers:
X-Frame-Options: "SAMEORIGIN"
```
This code generates a *x-frame-options: "SAMEORIGIN"* header.
**Multiple value header**
Multiple value headers, will be merged to a single string delimited by semicolons
```yaml
# config/packages/response_headers.yaml
parameters:
response_headers:
Feature-Policy:
- "geolocation 'self'"
- "vibrate 'none'"
```
This code generates a *feature-policy: "geolocation 'self'; vibrate 'none'"* header.
**Value field**
Also you can define the values into a *value* field:
```yaml
# config/packages/response_headers.yaml
parameters:
response_headers:
X-Frame-Options:
value: "SAMEORIGIN"
Feature-Policy:
value:
- "geolocation 'self'"
- "vibrate 'none'"
```
This *value* field is mandatory if you want to set a condition or a replace behaviour.
**Condition**
As said before, headers could be restricted with conditions:
```yaml
# config/packages/response_headers.yaml
parameters:
response_headers:
X-Frame-Options:
value: "SAMEORIGIN"
condition: "request.getHost() == 'api.mydomain.com"
```
**Replace behaviour**
Symfony response allows to define if a header must replace a previous defined header value.
By default, this replace behaviour is defined as true. But you can disable it using:
```yaml
# config/packages/response_headers.yaml
parameters:
response_headers:
X-Frame-Options:
value: "SAMEORIGIN"
replace: false
```
## Common security headers
This is an example witch defines common security headers:
```yaml
# config/packages/response_headers.yaml
parameters:
response_headers_global_conditions:
- 'isMainRequest'
response_headers:
X-XSS-Protection:
- "1"
- "mode=block"
X-Frame-Options: "SAMEORIGIN"
X-Content-Type-Options: "nosniff"
Strict-Transport-Security:
- "max-age=31536000"
- "includeSubDomains"
Referrer-Policy: "same-origin"
Feature-Policy:
- "geolocation 'self'"
- "vibrate 'none'"
# ... include every feature the application uses.
Content-Security-Policy:
- "default-src 'none'"
- "img-src 'self'"
- "font-src 'self'"
- "manifest-src 'self'"
- "frame-src 'self'"
- "script-src 'self' 'unsafe-inline'"
- "style-src 'self' 'unsafe-inline'"
- "connect-src 'self'"
```
Check Content-Security-Policy to include every base urls with services you use. Also try to avoid *unsafe-inline* configuration, this is up to your project.
## License
This package is free and released under the [AGPL-3.0 license](LICENSE).