I have a Laravel 5 project that is using the bepsvpt/secure-headers package with the following config file:

config/secure-headers.php

<?php

return [
    'x-content-type-options' => 'nosniff',
    'x-download-options' => 'noopen',
    'x-frame-options' => 'sameorigin',
    'x-permitted-cross-domain-policies' => 'none',
    'x-xss-protection' => '1; mode=block',

    /*
     * Referrer-Policy
     *
     * Reference: https://w3c.github.io/webappsec-referrer-policy
     *
     * Available Value: 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin',
     *                  'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', 'unsafe-url'
     */

    'referrer-policy' => 'strict-origin-when-cross-origin',

    'hsts' => [
        'enable' => env('SECURITY_HEADER_HSTS_ENABLE', false),
        'max-age' => 15552000,
        'include-sub-domains' => false,
    ],

    /*
     * Content Security Policy
     *
     * Reference: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
     *
     * csp will be ignored if custom-csp is not null.
     *
     * Note: custom-csp does not support report-only.
     */

    'custom-csp' => env('SECURITY_HEADER_CUSTOM_CSP', null),

    'csp' => [
        'report-only' => false,

        'report-uri' => env('CONTENT_SECURITY_POLICY_REPORT_URI', false),,

        'upgrade-insecure-requests' => false,

        'base-uri' => [
            //
        ],

        'default-src' => [
            //
        ],

        'child-src' => [
            //
        ],

        'script-src' => [
            'allow' => [
                //
            ],

            'hashes' => [
                // ['sha256' => 'hash-value'],
            ],

            'nonces' => [
                //
            ],

            'self' => false,

            'unsafe-inline' => false,

            'unsafe-eval' => false,
        ],

        'style-src' => [
            'allow' => [
                //
            ],

            'self' => false,

            'unsafe-inline' => false,
        ],

        'img-src' => [
            'allow' => [
                //
            ],

            'types' => [
                //
            ],

            'self' => false,

            'data' => false,
        ],

        /*
         * The following directives are all use 'allow' and 'self' flag.
         *
         * Note: default value of 'self' flag is false.
         */

        'font-src' => [
            //
        ],

        'connect-src' => [
            //
        ],

        'form-action' => [
            //
        ],

        'frame-ancestors' => [
            //
        ],

        'media-src' => [
            //
        ],

        'object-src' => [
            //
        ],

        /*
         * plugin-types only support 'allow'.
         */

        'plugin-types' => [
            //
        ],
    ],
];

When I try to run the application (web request or php artisan), I get the following error:

PHP Fatal error:  Cannot use empty array elements in arrays in C:\Web\myapp\config\secure-headers.php on line 4

Of course, line 4 of the file looks totally fine!

What is the issue here?

This error, which is not documented anywhere I can find online, comes from having two commas in a row with nothing between them inside the array.

In my case, this actually appeared on line 42 of the file, not line 4 as indicated by the error message, which sounds like a bug in the compiler which identifies the first item in the array instead of the actual location of the "empty array element".

NOTE: In PHP 7.2.15+, 7.3.2+, and 7.4.0+, the error message has been changed to report the line number of the previous valid element instead of the line number of the beginning of the array. While this may still be off by one or more lines, it is usually close enough to the problem to make it much easier to find.

I got the same error, while pointing at line 2, the error was on line 6.

I spent hours troubleshooting helplessly because it was a familiar code and I didn't know when an extra , got at the back of 'available' => $faker->boolean(85),

return [
  'id'          => $id,
  'user_id'     => $id,
  'slug'        => $slug,
  'speciality'  => $faker->randomElement(['Option A','Optoin B']),
  'available'   => $faker->boolean(85),,
  'subscription_ends_at' => $faker->dateTimeBetween('-5 day', '30 day'),
  'verified_at' => $faker->dateTimeBetween('-50 day', '-16 minute'),
];

Simply search your code for ,, or spaces between two commas , , on the same line as pointed out by @Moshe Katz.

This thread is a life saver.