StackShield
Web Security

What Is Security Headers?

HTTP response headers that instruct browsers how to handle your website's content securely. They protect against common attacks like cross-site scripting (XSS), clickjacking, and protocol downgrade attacks by telling the browser what actions are allowed.

In Laravel Applications

Laravel does not set security headers by default. You need to add them via middleware. Key headers include Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.

Example

Adding `X-Frame-Options: DENY` prevents your Laravel application from being embedded in an iframe, blocking clickjacking attacks.

Related Terms

Cross-Site Scripting (XSS)

A vulnerability where an attacker injects malicious JavaScript into web pages viewed by other users. The injected script runs in the victim's browser with the same privileges as legitimate scripts, allowing the attacker to steal session tokens, redirect users, or modify page content.

Cross-Site Request Forgery (CSRF)

An attack where a malicious website tricks a user's browser into performing an unwanted action on a site where the user is authenticated. The browser automatically sends cookies with the request, so the target site processes it as a legitimate action from the user.

HTTP Strict Transport Security (HSTS)

A security header that tells browsers to only connect to your website over HTTPS. Once a browser receives the HSTS header, it will automatically convert all future HTTP requests to HTTPS for the specified duration, preventing protocol downgrade attacks and cookie hijacking.

Related Articles

The OWASP Top 10 Just Changed. Here Is What It Means for Laravel Teams.

The OWASP Top 10 2025 added supply chain failures at #3 and error handling at #10, while injection dropped to #5. Here is the full updated list and what Laravel developers need to do differently.

NIST Just Rewrote the DNS Security Playbook After 12 Years. Here's What Changed.

NIST has published SP 800-81r3, the first major DNS security update since 2013. It reframes DNS as an active security enforcement layer. Here are the 6 key changes and what they mean for your infrastructure.

Critical Livewire RCE Vulnerability (CVE-2025-54068): What You Need to Know

A critical remote code execution vulnerability in Livewire v3 allows unauthenticated attackers to execute arbitrary code on your server. With 130,000+ applications affected, here's how to check if you're vulnerable and what to do about it.

Related Fix Guides

High

How to Fix Missing Security Headers in Laravel

Your Laravel app is missing critical security headers like CSP, HSTS, and X-Frame-Options. Learn how to add them with middleware.

Monitor Your Laravel Application's Security

StackShield continuously checks your Laravel application from the outside, catching security issues before attackers find them.

Start Free Trial