Looking to hire Laravel developers? Try LaraJobs

laravel-feature-policy maintained by codebar-ag

Description
Permissions-Policy (Feature-Policy) header builder and middleware for Laravel
Author
Sebastian Bürgin-Fix
Last update
2026/04/04 00:01 (dev-main)
License
MIT
Links
Homepage - GitHub - Packagist
Downloads
10 731
Tags
security - headers - laravel - feature-policy - permissions-policy

dev-main

Last update
2026/04/04 00:01
License
MIT
Require
  • php 8.3.*|8.4.*|8.5.*
  • illuminate/contracts ^13.0
  • illuminate/http ^13.0
  • illuminate/support ^13.0
v13.0.0

Last update
2026/04/04 00:01
License
MIT
Require
  • php 8.3.*|8.4.*|8.5.*
  • illuminate/contracts ^13.0
  • illuminate/http ^13.0
  • illuminate/support ^13.0
1.0.0

Last update
2026/04/03 23:52
License
MIT
Require
  • php ^8.5
  • illuminate/contracts ^13.0
  • illuminate/http ^13.0
  • illuminate/support ^13.0
Comments
comments powered by Disqus

Latest Version on Packagist Total Downloads GitHub Tests GitHub Code Style PHPStan Dependency Review Coverage

Build and apply Permissions-Policy (formerly Feature-Policy) headers in Laravel applications.

Requirements

  • PHP 8.3, 8.4, or 8.5
  • Laravel 13

Installation

composer require codebar-ag/laravel-feature-policy

Publish configuration (optional):

php artisan vendor:publish --tag=laravel-feature-policy-config

Configuration

The published config file is config/feature-policy.php. You can also rely on environment variables:

Env Config key Default Purpose
FPH_ENABLED enabled true Master switch; when false, middleware does not apply policy headers.
policy null Fully qualified class name of your policy (must extend CodebarAg\LaravelFeaturePolicy\Policies\Policy).
FPH_PROPOSAL_ENABLED directives.proposal false Enable proposed directive group.
FPH_EXPERIMENTAL_ENABLED directives.experimental false Enable experimental directive handling.
FPH_REPORTING_ENABLED reporting.enabled false Add Reporting-Endpoints and related reporting metadata.
FPH_REPORT_ONLY reporting.report_only false When reporting is on, also emit Permissions-Policy-Report-Only.
FPH_REPORTING_URL reporting.url (see config) Endpoint URL for violation reports.

Implement a policy class with a configure() method that calls addDirective() (see package tests and Policies\Policy).

Middleware

Register the middleware on your web stack (or another group), for example in bootstrap/app.php:

use CodebarAg\LaravelFeaturePolicy\AddFeaturePolicyHeaders;

$middleware->web(append: [
    AddFeaturePolicyHeaders::class,
]);

You may pass a specific policy class as a middleware parameter:

Route::get('/admin', AdminController::class)
    ->middleware(AddFeaturePolicyHeaders::class.':'.AdminPermissionsPolicy::class);

Quality checks

Run Laravel Pint in test mode:

composer lint

Run static analysis (PHPStan + Larastan):

composer analyse

Run the test suite:

composer test

Run tests with code coverage and a 100% minimum (requires the PCOV or Xdebug PHP extension):

composer test-coverage

Run lint, analysis, and tests together:

composer quality

Credits

This package was initially inspired by mazedlx/laravel-feature-policy (MIT). The implementation has since been significantly adapted for Laravel 13 and is maintained independently by codebar-ag.

License

MIT