assayer-pro / yii2-cspreport
Yii2 Module for Content Security Policy Report
Installs: 4 365
Dependents: 0
Suggesters: 0
Security: 0
Stars: 2
Watchers: 2
Forks: 0
Open Issues: 0
Type:yii2-extension
Requires
- yiisoft/yii2: >=2.0.6
This package is auto-updated.
Last update: 2024-11-14 05:32:58 UTC
README
yii2 Module for Content Security Policy Report
Installation
The preferred way to install this extension is through composer.
- Either run
php composer.phar require --prefer-dist "assayer-pro/yii2-cspreport" "*"
or add
"assayer-pro/yii2-cspreport" : "*"
to the require section of your application's composer.json file.
Usage
- Add a new module in modules section of your application's configuration file, for example:
'modules' => [ 'csp-report' => [ 'class' => 'assayerpro\cspreport\Module', 'message' => [ 'from' => 'admin@example.com', 'to' => 'developer@example.com', 'subject' => 'Content Security Policy Report', ], ], ],
- Add a new rule for
urlManagerof your application's configuration file, for example:
'components' => [ ... 'urlManager' => [ 'rules' => [ 'csp-report' => 'csp-report/report/index', ], ], ... ],
- Add application/csp-report parser:
'components' => [ ... 'request' => [ 'parsers' => [ 'application/csp-report' => 'yii\web\JsonParser', ], ], ... ],
- Apache Content-Security-Policy Header
Add the following to your httpd.conf in your VirtualHost or in an .htaccess file:
Header set Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report;"
- Nginx Content-Security-Policy Header
In your server {} block add:
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
You can also append always to the end to ensure that nginx sends the header reguardless of response code.