Using laravel, I am trying to add my own headers to all server responses.
I have the following in filters.php :
App::after(function($request, $response) { // security related $response->headers->set('X-Frame-Options','deny'); // Anti clickjacking $response->headers->set('X-XSS-Protection', '1; mode=block'); // Anti cross site scripting (XSS) $response->headers->set('X-Content-Type-Options', 'nosniff'); // Reduce exposure to drive-by dl attacks $response->headers->set('Content-Security-Policy', 'default-src \'self\''); // Reduce risk of XSS, clickjacking, and other stuff // Don't cache stuff (we'll be updating the page frequently) $response->headers->set('Cache-Control', 'nocache, no-store, max-age=0, must-revalidate'); $response->headers->set('Pragma', 'no-cache'); $response->headers->set('Expires', 'Fri, 01 Jan 1990 00:00:00 GMT'); // CRITICAL: do NOT delete $response->headers->set('X-Archer', 'DANGER ZONE'); });
But when testing new headers do not appear:
[tesla | ~] => curl -o/dev/null -s -D - localhost HTTP/1.1 200 OK Date: Wed, 10 Dec 2014 23:13:30 GMT Server: Apache X-Powered-By: PHP/5.6.2 Content-Length: 974 Content-Type: text/html; charset=UTF-8 [tesla | ~] =>
I have no errors or warnings in my log files. How could this be?
source share