#forcing request header referer on app is safe?

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpFoundation\Response;

class ForceRefererHeader
{
    /**
     * Handle an incoming request.
     *
     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
     */
    public function handle(Request $request, Closure $next): Response
    {

        if ($request->is('api/*')) {
            if (!$request->headers->has('Origin') && !$request->headers->has('Referer')) {
                $request->headers->set('Referer', config('app.url'));
            }
        }

        return $next($request);
    }
}

App\Http\kernel.php

'api' => [
            \App\Http\Middleware\ForceRefererHeader::class,
            \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
            \Illuminate\Routing\Middleware\ThrottleRequests::class.':api',
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],

What do you need the Referer header for? Usually API calls are made from a server that doesn't add that header.

Also I wouldn't do the route check in the middleware. In stead you can just add it to the routes that need it.

@lunar dust it's from vendor, when logging $domain returns null. I need to force set the referer

Why do you need to set this header? You're changing the request to something it isn't.

the request is from my vue component resources/js/vue
if I send a GET request it returns unauthenticated since referer is null
POST works no prob

my main issue here is if the request (other server) doesnt have a referer will there be any issue since im setting it to my domain?

Let's step back, as you're basically describing an XY problem. Sure, the header is missing, and enforcing it would "solve" it not working, but that doesn't solve the underlying issue. Overwriting the header isn't a good idea, as it may lead to security issues.

Do you have something like a referrer-policy set up https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy?

I have this

 // Referrer Policy
        $response->headers->set('Referrer-Policy', 'no-referrer');

That's where your issue comes from

hmmm, is this the main issue why im not getting the referer?

You're telling the browser to not send a referrer header

this is from our Vulnerability Assessment and Penetration Testing (VAPT)

can I ommit this?

// Content Security Policy
        $cspValue = "frame-ancestors 'self' ".env('APP_URL');
        $response->headers->set('Content-Security-Policy', $cspValue);

        // X-Frame-Options
        $response->headers->set('X-Frame-Options', 'DENY');

        // X-XSS-Protection
        $response->headers->set('X-XSS-Protection', '1; mode=block');

        // X-Content-Type-Options
        $response->headers->set('X-Content-Type-Options', 'nosniff');

        // Referrer Policy
        $response->headers->set('Referrer-Policy', 'no-referrer');

        // HTTP Strict Transport Security
        $response->headers->set('Strict-Transport-Security', 'max-age=15552000; includeSubDomains');

        // Set Permissions-Policy header with necessary permissions only
        // src: https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
        $permissionPolicy = 'fullscreen=(self), geolocation=(self), microphone=(), camera=(),display-capture=(), document-domain=();';
        $response->headers->set('Permissions-Policy', $permissionPolicy);

        return $response;

can you help validate this? this is my current template

Well, your app needs a referrer header. For example, this is used for things like redirecting back, the referrer would tell Laravel where the user came from. So instead of not sending a referrer at all, you can use a value like origin-when-cross-origin or strict-origin-when-cross-origin, which would only send the referrer on pages you own (the same origin). Thus your app still receives the origin header, but any external navigation wouldn't

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy#examples

In short, your app needs not only the domain, but also the full path

Or perhaps same-origin would be the best one for you, because that wouldn't send the origin to a cross-origin domain. The ones I mentioned earlier do send the domain to a cross-origin

i'll try strict-origin-when-cross-origin first then other