GitHub
Luminova Framework
Toggle Theme
Version

HTTP Request Security Configuration

Last updated: 2025-12-29 01:57:34

HTTP Request Security configuration for Luminova applications. Manage trusted origins, hostnames, CORS, and API-specific security settings for safe and consistent request validation.

The HTTP Request Security configuration class defines properties for managing security settings in luminova applications. It controls trusted origins, hostnames, and other security rules used by Luminova\Http\Request and Luminova\Http\Header to authenticate incoming requests.

Additionally, it includes essential settings for securing your API endpoints, such as allowed origins, headers, and credentials, ensuring consistent and safe API access.

  • Class namespace: \App\Config\Security
  • File path: /app/Config/Security.php
  • This class is marked as final and can't be subclassed

Properties

enforceApiSecurityOnHttp

Apply API-style security to all HTTP requests.

If set to true, all incoming HTTP requests (not just API requests)will be validated using the same security rules as API requests, including:

  • forbidEmptyOrigin
  • allowCredentials
  • allowOrigins
  • allowHeaders
public bool $enforceApiSecurityOnHttp = false;

This is useful when you want consistent security enforcement across web pages, AJAX calls, and API endpoints.

forbidEmptyOrigin

Whether to reject API requests with an empty Origin header.

This property controls whether to forbid requests with an empty Origin header.If true, requests without an Origin header are denied.

public bool $forbidEmptyOrigin = true

allowCredentials

Whether to include credentials in API responses.

This property controls whether to allow credentials header in API requests.If true, the Access-Control-Allow-Credentials header is sent.

public bool $allowCredentials = true

allowOrigins

Allowed origins for incoming API requests.

This property controls which origins should be allowed to access API endpoints.

  • Use '*' to allow any origin.
  • Use the string 'null' to also allow all origins explicitly.
  • Provide an array to restrict to specific origins. 
public string|array<int,string> $allowOrigins = '*'

Example:

public string|array $allowOrigins = [
    'https://example.com',
    'https://luminova.ng',
    '127.0.0.1'
]

allowHeaders

Allowed request headers for API requests.

This property controls which headers should be allowed in request headers when accessing API endpoints.

public array<int,string> $allowHeaders = []

An empty array allows all headers by default.

Example:

public array $allowHeaders = [
    'Content-Type',
    'Authorization',
    'X-Requested-With',
    'Host',
    'Accept', 
    'User-Agent'
];

Note:When you define a custom headers to only allow, if request is sent with none matching headers, it will fail.

trustedOrigins

Set the list of trusted origin domains or patterns.

public array<int,string> $trustedOrigins = [];

This will be use in Request class for authenticating incoming requests origin.

If none is specified then not additional check will be done when you call method request()->getOrigin() or request()->isTrustedOrigin().

trustedHostname

Set the list of trusted hostname or patterns.

public array<int,string> $trustedHostname = [];

This will be use in Request class for authenticating your hostname.

If none is specified then not additional check will be done when you call method request()->getHostname().

« Previous Configure Template Engine
Next » Configure Browser Detection
On this page