SilverStripe module for easily adding a selection of useful HTTP headers.
Comes with a default set of headers configured, but can be used to add any headers you wish.
Install via composer:
composer require guttmann/silverstripe-security-headers 1.0.*
Apply the SecurityHeaderControllerExtension to the controller of your choice.
For example, add this to your mysite/_config/config.yml file:
Page_Controller:
extensions:
- Guttmann\SilverStripe\SecurityHeaderControllerExtension
Configure header values to suit your site, it's important your config is loaded after the security-headers module's config.
For example, your mysite/_config/config.yml file might look like this:
---
Name: mysite
After:
- 'framework/*'
- 'cms/*'
- 'security-headers/*'
---
Guttmann\SilverStripe\SecurityHeaderControllerExtension:
headers:
Content-Security-Policy: "default-src 'self' *.google-analytics.com;"
Strict-Transport-Security: "max-age=2592000"
I am not a security expert - the default header values used in this module are based on advice I have received from a number of sources.
They are not set in stone and if you see any issues please send me a pull request.